Loading ...

Play interactive tourEdit tour

Windows Analysis Report

Overview

General Information

Analysis ID:483805
Infos:

Most interesting Screenshot:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Suspicious Encoded PowerShell Command Line
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 5812 cmdline: cmd /C 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAaAB0AHQAcAA6AC8ALwBsAG8AYwBhAGwAaABvAHMAdAA6ADMAMAAwADAAYAAiACIA' MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6872 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAaAB0AHQAcAA6AC8ALwBsAG8AYwBhAGwAaABvAHMAdAA6ADMAMAAwADAAYAAiACIA MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • chrome.exe (PID: 2228 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'http://localhost:3000/' MD5: C139654B5C1438A95B321BB01AD63EF6)
        • chrome.exe (PID: 3864 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,10890315135357203982,11269941993251781077,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1692 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 6872PowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x807a:$sa2: -EncodedCommand
  • 0x814d:$sa2: -EncodedCommand
  • 0x165be:$sa2: -EncodedCommand
  • 0xb44c5:$sa2: -EncodedCommand
  • 0xd2733:$sa2: -EncodedCommand
  • 0x111de0:$sa2: -encodedCommand
  • 0x111e0c:$sa2: -encodedCommand
  • 0x112fe9:$sa2: -EncodedCommand
  • 0x113084:$sa2: -encodedCommand
  • 0x8046:$sc2: -NoProfile
  • 0x8119:$sc2: -NoProfile
  • 0x1658a:$sc2: -NoProfile
  • 0x8df11:$sc2: -NoProfile
  • 0x8e889:$sc2: -NoProfile
  • 0xb44a2:$sc2: -NoProfile
  • 0xb4567:$sc2: -NoProfile
  • 0xb4776:$sc2: -NoProfile
  • 0xb4994:$sc2: -NoProfile
  • 0xb4beb:$sc2: -NoProfile
  • 0xb499f:$sd1: -NonI
  • 0x8051:$sd2: -NonInteractive

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
Source: Process startedAuthor: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAaAB0AHQAcAA6AC8ALwBsAG8AYwBhAGwAaABvAHMAdAA6ADMAMAAwADAAYAAiACIA, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAaAB0AHQAcAA6AC8ALwBsAG8AYwBhAGwAaABvAHMAdAA6ADMAMAAwADAAYAAiACIA, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /C 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAaAB0AHQAcAA6AC8ALwBsAG8AYwBhAGwAaABvAHMAdAA6ADMAMAAwADAAYAAiACIA', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5812, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAaAB0AHQAcAA6AC8ALwBsAG8AYwBhAGwAaABvAHMAdAA6ADMAMAAwADAAYAAiACIA, ProcessId: 6872
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAaAB0AHQAcAA6AC8ALwBsAG8AYwBhAGwAaABvAHMAdAA6ADMAMAAwADAAYAAiACIA, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAaAB0AHQAcAA6AC8ALwBsAG8AYwBhAGwAaABvAHMAdAA6ADMAMAAwADAAYAAiACIA, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /C 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAaAB0AHQAcAA6AC8ALwBsAG8AYwBhAGwAaABvAHMAdAA6ADMAMAAwADAAYAAiACIA', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5812, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAaAB0AHQAcAA6AC8ALwBsAG8AYwBhAGwAaABvAHMAdAA6ADMAMAAwADAAYAAiACIA, ProcessId: 6872
Sigma detected: T1086 PowerShell ExecutionShow sources
Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132761813011681934.6872.DefaultAppDomain.powershell

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\2228_259065336\LICENSE.txtJump to behavior
Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.100.73
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 8.238.85.254
Source: unknownTCP traffic detected without corresponding DNS query: 8.238.85.254
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 23.35.237.194
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.5
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.5
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.5
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.5
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.5
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.5
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.5
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.5
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.5
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.5
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: Ruleset Data.6.drString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: Ruleset Data.6.drString found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
Source: powershell.exe, 00000002.00000002.751765297.0000000007E4E000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft.cop
Source: powershell.exe, 00000002.00000002.747512696.0000000005F38000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.751589927.0000000007DBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.737882284.0000000005013000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.737733145.0000000004ED1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.751589927.0000000007DBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.737882284.0000000005013000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: manifest.json0.6.dr, 3eb7cefc-6597-41c1-9c0f-b4d06327dea2.tmp.7.dr, 061e9331-91f1-4612-b80c-ec5b0e599ebc.tmp.7.drString found in binary or memory: https://accounts.google.com
Source: manifest.json0.6.dr, 3eb7cefc-6597-41c1-9c0f-b4d06327dea2.tmp.7.dr, 061e9331-91f1-4612-b80c-ec5b0e599ebc.tmp.7.drString found in binary or memory: https://apis.google.com
Source: 3eb7cefc-6597-41c1-9c0f-b4d06327dea2.tmp.7.dr, 061e9331-91f1-4612-b80c-ec5b0e599ebc.tmp.7.drString found in binary or memory: https://clients2.google.com
Source: manifest.json0.6.drString found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 3eb7cefc-6597-41c1-9c0f-b4d06327dea2.tmp.7.dr, 061e9331-91f1-4612-b80c-ec5b0e599ebc.tmp.7.drString found in binary or memory: https://clients2.googleusercontent.com
Source: manifest.json0.6.drString found in binary or memory: https://content.googleapis.com
Source: powershell.exe, 00000002.00000002.747512696.0000000005F38000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.747512696.0000000005F38000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.747512696.0000000005F38000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: c183c4da-d2ab-4f66-b9ff-47bf49b97808.tmp.7.dr, 3eb7cefc-6597-41c1-9c0f-b4d06327dea2.tmp.7.dr, 061e9331-91f1-4612-b80c-ec5b0e599ebc.tmp.7.dr, a7510191-16ab-4671-9550-4fb13f033936.tmp.7.drString found in binary or memory: https://dns.google
Source: manifest.json0.6.drString found in binary or memory: https://feedback.googleusercontent.com
Source: 3eb7cefc-6597-41c1-9c0f-b4d06327dea2.tmp.7.dr, 061e9331-91f1-4612-b80c-ec5b0e599ebc.tmp.7.drString found in binary or memory: https://fonts.googleapis.com
Source: manifest.json0.6.drString found in binary or memory: https://fonts.googleapis.com;
Source: 3eb7cefc-6597-41c1-9c0f-b4d06327dea2.tmp.7.dr, 061e9331-91f1-4612-b80c-ec5b0e599ebc.tmp.7.drString found in binary or memory: https://fonts.gstatic.com
Source: manifest.json0.6.drString found in binary or memory: https://fonts.gstatic.com;
Source: powershell.exe, 00000002.00000002.751589927.0000000007DBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.737882284.0000000005013000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: manifest.json0.6.drString found in binary or memory: https://hangouts.google.com/
Source: powershell.exe, 00000002.00000002.747512696.0000000005F38000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: 3eb7cefc-6597-41c1-9c0f-b4d06327dea2.tmp.7.dr, 061e9331-91f1-4612-b80c-ec5b0e599ebc.tmp.7.drString found in binary or memory: https://ogs.google.com
Source: manifest.json.6.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 3eb7cefc-6597-41c1-9c0f-b4d06327dea2.tmp.7.dr, 061e9331-91f1-4612-b80c-ec5b0e599ebc.tmp.7.drString found in binary or memory: https://play.google.com
Source: 3eb7cefc-6597-41c1-9c0f-b4d06327dea2.tmp.7.drString found in binary or memory: https://r5---sn-h0jeln7l.gvt1.com
Source: 3eb7cefc-6597-41c1-9c0f-b4d06327dea2.tmp.7.dr, 061e9331-91f1-4612-b80c-ec5b0e599ebc.tmp.7.drString found in binary or memory: https://redirector.gvt1.com
Source: manifest.json.6.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 3eb7cefc-6597-41c1-9c0f-b4d06327dea2.tmp.7.dr, 061e9331-91f1-4612-b80c-ec5b0e599ebc.tmp.7.drString found in binary or memory: https://ssl.gstatic.com
Source: messages.json72.6.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
Source: messages.json72.6.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: manifest.json0.6.dr, 3eb7cefc-6597-41c1-9c0f-b4d06327dea2.tmp.7.dr, 061e9331-91f1-4612-b80c-ec5b0e599ebc.tmp.7.drString found in binary or memory: https://www.google.com
Source: manifest.json.6.drString found in binary or memory: https://www.google.com/
Source: manifest.json0.6.drString found in binary or memory: https://www.google.com;
Source: 3eb7cefc-6597-41c1-9c0f-b4d06327dea2.tmp.7.dr, 061e9331-91f1-4612-b80c-ec5b0e599ebc.tmp.7.drString found in binary or memory: https://www.googleapis.com
Source: manifest.json.6.drString found in binary or memory: https://www.googleapis.com/
Source: manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json.6.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.6.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json.6.drString found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.6.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: 3eb7cefc-6597-41c1-9c0f-b4d06327dea2.tmp.7.dr, 061e9331-91f1-4612-b80c-ec5b0e599ebc.tmp.7.drString found in binary or memory: https://www.gstatic.com
Source: manifest.json0.6.drString found in binary or memory: https://www.gstatic.com;
Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: unknownDNS traffic detected: queries for: clients2.google.com
Source: global trafficHTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20210915T120805Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=2958f9c7b0754c549cc0ba15770c6983&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1167475&metered=false&nettype=ethernet&npid=sc-310091&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&rver=2&smBiosDm=VMware7%2C1&tl=2&tsu=1167475&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing= HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: chs=0&imp=0&chf=0&ds=50583&fs=32068&sc=6X-SDK-HW-TOKEN: t=EwDYAppeBAAU+CVBfQcFvEv2DZI9cfqZBAbEzGMAAeNMZ/+RpOqkalqmjMFn7GUdCJFXE+4DA3q1n1Cosp2yS0qtsz93bgWd0W9gMexkxguXqLU3Ji9ObZKvhbT2CoktaUUX/130NQ2cHvobnInz6hlESd74r9B9jMMrLJC0gAyfAA0rDpSKJ6UoaLCbkgKA7T2fX2pYp2wEoOpCuQ85TsyRBDmEcptmgz0nxwtPpzy/m0177tfdXWJ6SE7yZ2Ylo7jI5G2OQScgoUHTS5dC89ATU+xyc6gNl07j3BhLXXw6YJX48aSHnc90aA+44m6DQyUGLxU6UfkGmmG+QawazhlvskEmTbUolJMvMEvSIyG4fZp3NKGKkQJMRCzY+RYDZgAACPP6+4orRdiSqAHmv43oRlZB5mwrXVtxXqQi04j/XFoakP+VA4+ZPI9qPBNnzUHhOcf+s0rM2XvQqKgYu7SQfHKJIiteE5buVeePia9w+1K6A+edu/+WdpbwWjXig0VZvj0ur4DPU+WjM/R8gWRoVKpDuSD2qaOyw5v5Qz1PpeTX2FypijDvuFVP/TlDaDXyC5aQe2huW+SxDNL0dY7dN4GvVEcTtOI34WtQSxrtxEG6C2e7QcoeQMI0rHnbj2VCsmVfh16Uac3zjdSdGyPLMWUaoemzRaWf1XKiMeuaygvJV8BJf2Q09eVNdXWn4EYRiUVfE5mXvfzSOaImJigMaOn/e0zbvOooc7IbO5opOl1Br2TbiWvN074Bj4XQXpDKB5cXwtKhTFkLbn67hrBULgrGQhYhyrqR/BW035AoWv7WBnRvryakIlXdlbmPswsoqjq/mBOGvtXtK6esC08JuEu+fuaYTtoZAsJcgE4MDDTJdm9IuklN/BzQTRE7RYPyNl3urbmRx5l71nBof2851ck55yAqFFvc3O+CntePYtNFoWLzzSPcjPmu+t0pyrFO7F/J1QE=&p=Cache-Control: no-cacheMS-CV: 1p1z7TMjvEGJBzJt.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: tch0,m301,m751,mA01,mT01Host: arc.msn.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20210915T120805Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=c2d84bd167a242d8b93bdac66646e801&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1167475&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1167475&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing= HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: chs=0&imp=0&chf=0&ds=50583&fs=32068&sc=6X-SDK-HW-TOKEN: t=EwDgAppeBAAU+CVBfQcFvEv2DZI9cfqZBAbEzGMAASktAP9DKRTr1cus02iONlVfz0h2rcNh9YqSj8Rl+b34ZwxPLaPx1zncsfv/0BKPVlgT6Ydo3n3PbRS69C5hRkEvdAwQ21v399DyZ82TZ9NI2FmztQsZlfiR5QuUPr1g5GXqk3/udFEw5CuEExuTP2vECsZGW7RjfyfoY8u7WSioLriEjX8Gl919cTh9f4SKD1vxPU7//2Geg1oJAq0/SD0SmhB9WKB9f0ZRGd8jG28IG43Utt6VU4OQARFTQglFK2q/M9ZyiPaec1GZ39jDjhP54rGcm82BYNKr9R/kctjeKmk2uXmNchWc1gn10dBloN3f7aKZ3Vj8ClPHuPZ9JxEDZgAACOfxUrHTm+xWsAFIwfhC9eGQlgYIBCyjzcG9Qu0NEZGTrB4al4HQPIrGUiD4TCrXpTK6xA6it752Ixs0HE7a6UD5qHtyYGBXFshpv7mHBiesaZKRRqlPk1rVktkCZmFquywG68LY6V88h2VRd4xBLBSjHcy600gD5LSZH1McOCdVmuK0LHDmUoePA7TlnP2MDAUqKAHihd275+f9a6/URFx+zaJKg69rZQbxTUnyj00WUh1CBuR3JOLOoF3jn0aviuD19oJl5v4BkUpkma1yiabykTzad/GLwEoB8xbB6CX/4OnLB/B+0o5iNAIk7oCdvngKKOICPbrQyyAaaKlwGxhYX8jGjBwouBHbTwyE16hmHJBdcWr38Aa0aqYmhVxk2KA41Ge3Pr74eigN7j9WDyqr/w9M+tiOylU+Kzl5QCKvcE1oMm4qJWbdcJtOsQH01YQY+VPgod/HjihwLqWe9EFjKPwXkPvG0v0u1oCRA4oJHsT8SMld529m0u6WKir+cdl+mLoBExBC/P5kr7we4laz1PlamrNE24bLeCG2u7PcJdye3UDqVXoNvLVOwDwQTfyysIzkIa+3dFvVAQ==&p=Cache-Control: no-cacheMS-CV: 1p1z7TMjvEGJBzJt.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: tch0,m301,m751,mA01,mT01Host: arc.msn.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /client/config?cc=US&setlang=en-US HTTP/1.1X-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguageX-Search-SafeSearch: ModerateAccept-Encoding: gzip, deflateX-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}X-UserAgeClass: UnknownX-BM-Market: USX-BM-DateFormat: M/d/yyyyX-CortanaAccessAboveLock: falseX-Device-OSSKU: 48X-BM-DTZ: 120X-BM-FirstEnabledTime: 132061327679472806X-DeviceID: 0100748C0900D485X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-BM-Theme: 000000;0078d7X-Search-RPSToken: t%3DEwDYAkR8BAAUW3WS0TDKGu2jEbBhB%2BXls4oNzBQAAUkpbq7qVC3fB/Ldn/bFlXHPI7Sf6ljDCLxFmO8HzugtdblIb9fR3fvnhq3o8bjyZg1lUAZ7hggc7SvqnuJEk0Kfp/3yM8hxWPB/aOjvoRBl3u8n%2BkxZWtsgpvkBapqCKB%2BFa1bOZ8qT5oePjKGK13cE%2BuL6eYRzVB3DoT56uOBeSc60%2BTOz0VFmhn1ZScRcL5Ie6CpHoDmdAWIKW5S1TtXuSJ%2BI%2BgLA3bmOIlgMKikDyEMyGqLh7GN%2BGn9/QYGlNgGnUtk1nx1ojhW%2BNXfmClxuu2N1pnjDhB0wrIP65yHdWu/ueCZfnRT5%2BNuC71z4YIj7mdieTVsuxXPVmW4TuUwDZgAACIcIDqNI3u5fqAH9NEDLpuNwgbSH/OpaW7%2B4DrH9QIFhBfdD9z1dkagDvpJ%2Bw3o1P0%2Bk4l5WLqt0uhyJtKDC9s0sgiErgvRXNa//B8solLQBQm%2BEQ08wTFQlbU%2BdYvTPLRtdtRIp%2BSy%2BuZPtTIEUaZ9P7ffp4Sgoc7GJBkEuvD/cCMvJ0VV5ca0O6cknA1zlkwaqXBODFdyODSDB4eEJHRLz62ZliFVYWnN8je848Gt3lGO7OaolQrSYi8uwUPEh8cYp7LmlrRUusn%2BH/yKDh%2BM5w0ReAZ4XrDXL3LzLLNXmSnWm0kvEUGwD2TTxruv2qfcnYdjyrSeaRn5ezB8T2Qv38KRcGk5U21R4%2BlpsL9yT7vEq34tGeH3A23zeqag7JH6LIPh4RRX/cRAXy7X9lmQqMKGGNVixt404zzDpRnHScdB/htnylg77B1QoglQulu6ECykYNMDtq6ZGiQxJnWW%2BRyZq/jiQV0y0eGcZp/rOLGo/T/3K8/wntsXCXykhcvbzOgxjtgllxpu5I%2BlNceUM6r%2B%2BfhRaTpmbjeZajYMDvmzbhjqtdzpOFUi8WABlJMZz1QE%3D%26p%3DX-Agent-DeviceId: 0100748C0900D485X-BM-CBT: 1631707684User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134X-Device-isOptin: trueAccept-language: en-US, enX-Device-Touch: falseX-Device-ClientSession: 9616216D7EB64CF2896756E915C098D1X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeaderHost: www.bing.comConnection: Keep-AliveCookie: SRCHUID=V=2&GUID=A31BCB31DE724ADE89A6449268B2A130&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20210915; SRCHHPGUSR=SRCHLANG=en; CortanaAppUID=B6948D87EDD147F9CB93B6BF4870B62C; MUID=BEEBF15262804E24A8DF6781500AB975; MUIDB=BEEBF15262804E24A8DF6781500AB975
Source: global trafficHTTP traffic detected: GET /settings/v2.0/wsd/muse?os=Windows&osVer=10.0.17134.1.amd64fre.rs4_release.180410-1804&deviceId=a2ab526a-d38d-4fc9-8ba0-e34b8d6354e8&sampleId=8875098&deviceClass=Windows.Desktop&sku=48&locale=en-US&ring=Retail&AttrDataVer=149&App=&AppVer=10.0&ubr=1 HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonIf-None-Match: 1285:2EA4AD209B1132B4::2F0891BBB3User-Agent: cpprestsdk/2.8.0Host: settings-win.data.microsoft.com
Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global trafficHTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8

System Summary:

barindex
Source: Process Memory Space: powershell.exe PID: 6872, type: MEMORYSTRMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07FCDFC02_2_07FCDFC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07FCF9C02_2_07FCF9C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07FCB0302_2_07FCB030
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07FCB0222_2_07FCB022
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAaAB0AHQAcAA6AC8ALwBsAG8AYwBhAGwAaABvAHMAdAA6ADMAMAAwADAAYAAiACIA'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAaAB0AHQAcAA6AC8ALwBsAG8AYwBhAGwAaABvAHMAdAA6ADMAMAAwADAAYAAiACIA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'http://localhost:3000/'
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,10890315135357203982,11269941993251781077,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1692 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAaAB0AHQAcAA6AC8ALwBsAG8AYwBhAGwAaABvAHMAdAA6ADMAMAAwADAAYAAiACIAJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'http://localhost:3000/'Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,10890315135357203982,11269941993251781077,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1692 /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:584:120:WilError_01
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210915Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vsi0y314.bpq.ps1Jump to behavior
Source: classification engineClassification label: mal52.evad.win@37/204@3/7
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\2228_259065336\LICENSE.txtJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2179Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1077Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6332Thread sleep count: 2179 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6332Thread sleep count: 1077 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5652Thread sleep count: 52 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 976Thread sleep time: -14757395258967632s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5644Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000002.00000003.727424522.000000000561F000.00000004.00000001.sdmpBinary or memory string: Hyper-V
Source: powershell.exe, 00000002.00000003.727424522.000000000561F000.00000004.00000001.sdmpBinary or memory string: (m:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: powershell.exe, 00000002.00000002.756731000.00000000095A5000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Bypasses PowerShell execution policyShow sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAaAB0AHQAcAA6AC8ALwBsAG8AYwBhAGwAaABvAHMAdAA6ADMAMAAwADAAYAAiACIA
Encrypted powershell cmdline option foundShow sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: Base64 decoded Start "`"http://localhost:3000`""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: Base64 decoded Start "`"http://localhost:3000`""Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAaAB0AHQAcAA6AC8ALwBsAG8AYwBhAGwAaABvAHMAdAA6ADMAMAAwADAAYAAiACIAJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'http://localhost:3000/'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsPowerShell2Path InterceptionProcess Injection11Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion21LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph