Windows Analysis Report
5yv6ZxNaTP.exe

Overview

General Information

Sample name: 5yv6ZxNaTP.exe
renamed because original name is a hash value
Original sample name: 121222d12d96665d88f8e60a419329f0.exe
Analysis ID: 1546425
MD5: 121222d12d96665d88f8e60a419329f0
SHA1: 51ed963231e60e1b6bcbbf81f325184f4a314beb
SHA256: 1fcc27fc5d5ab23eb89fecedaf7c036fa5d9fee5854868dcc0b98d2023fbdb2c
Tags: 64exetrojan
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: Powershell create lnk in startup
AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Potentially malicious time measurement code found
Powershell creates an autostart link
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.1% probability

Bitcoin Miner
barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005D4800 LoadLibraryExW, 0_2_005D4800
Source: 5yv6ZxNaTP.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 4x nop then cmp rdx, rbx 0_2_005AC2E0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 4x nop then cmp rdx, 40h 0_2_005C1420
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 4x nop then shr r10, 0Dh 0_2_005CC640
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 4x nop then shr r10, 0Dh 0_2_005CDAC0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 4x nop then lock or byte ptr [rdx], dil 0_2_005C1B60
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49705 -> 185.196.10.218:9889
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:49720
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:49708
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_0060C0E0 WSARecv, 0_2_0060C0E0
Source: powershell.exe, 00000001.00000002.1461262502.00000267358B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1443151882.00000267270DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1461262502.000002673577F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1443151882.0000026726F90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1443151882.0000026725701000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1443151882.0000026726DBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000001.00000002.1443151882.0000026726F90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1443151882.0000026725701000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.1461262502.000002673577F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1461262502.000002673577F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1461262502.000002673577F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.1443151882.0000026726F90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1443151882.0000026726331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.1461262502.00000267358B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1443151882.00000267270DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1461262502.000002673577F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.1443151882.0000026726DBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000001.00000002.1443151882.0000026726DBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Detected potential crypto function
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005AD200 0_2_005AD200
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005E0540 0_2_005E0540
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005E79A0 0_2_005E79A0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005D6A20 0_2_005D6A20
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005C9B20 0_2_005C9B20
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005C8D20 0_2_005C8D20
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005ADDA0 0_2_005ADDA0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005B6EE0 0_2_005B6EE0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005A1FE0 0_2_005A1FE0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005BA020 0_2_005BA020
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005EF160 0_2_005EF160
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005E2180 0_2_005E2180
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005BF1A0 0_2_005BF1A0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005DE220 0_2_005DE220
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_0061C460 0_2_0061C460
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005AA440 0_2_005AA440
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_00605420 0_2_00605420
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005BB480 0_2_005BB480
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005F2480 0_2_005F2480
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005DA520 0_2_005DA520
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005CC640 0_2_005CC640
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005C6620 0_2_005C6620
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005C36C0 0_2_005C36C0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005FE720 0_2_005FE720
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005D37C0 0_2_005D37C0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005DD8C0 0_2_005DD8C0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005F3940 0_2_005F3940
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005AE960 0_2_005AE960
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005BB9A0 0_2_005BB9A0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005D0A40 0_2_005D0A40
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005C7A60 0_2_005C7A60
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005EBA20 0_2_005EBA20
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005CDAC0 0_2_005CDAC0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005B5AE0 0_2_005B5AE0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_00607AA9 0_2_00607AA9
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005CCB00 0_2_005CCB00
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005A3BE0 0_2_005A3BE0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005CFCC0 0_2_005CFCC0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005D9CE0 0_2_005D9CE0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_0061CC80 0_2_0061CC80
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005BADC0 0_2_005BADC0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005C1DE0 0_2_005C1DE0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005CEEA0 0_2_005CEEA0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005E0FC0 0_2_005E0FC0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFB4B4408CD 1_2_00007FFB4B4408CD
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 4_2_000000F2811FDAFC 4_2_000000F2811FDAFC
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: String function: 005D8F40 appears 516 times
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: String function: 005DB260 appears 632 times
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: String function: 005D9020 appears 33 times
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: String function: 005DAA40 appears 77 times
PE file contains more sections than normal
Source: 5yv6ZxNaTP.exe Static PE information: Number of sections : 15 > 10
Source: 5yv6ZxNaTP.exe Static PE information: Section: /19 ZLIB complexity 0.9984454719387755
Source: 5yv6ZxNaTP.exe Static PE information: Section: /32 ZLIB complexity 0.9945591517857143
Source: 5yv6ZxNaTP.exe Static PE information: Section: /65 ZLIB complexity 0.9997003573919108
Source: 5yv6ZxNaTP.exe Static PE information: Section: /78 ZLIB complexity 0.9953365100472813
Source: classification engine Classification label: mal68.spre.evad.mine.winEXE@5/4@0/1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kooj2ijd.zhe.ps1 Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe File opened: C:\Windows\system32\d99eaf317a9ec33d6509637d666926e68eaab03c2511222c0f2b281ff7d0249aAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe File opened: C:\Windows\system32\c497275e86134e360c36ca4b6f11eba33017d3a8ad0955706fae76390eeee7e3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: 5yv6ZxNaTP.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 5yv6ZxNaTP.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: 5yv6ZxNaTP.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: 5yv6ZxNaTP.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: 5yv6ZxNaTP.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: 5yv6ZxNaTP.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: 5yv6ZxNaTP.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: 5yv6ZxNaTP.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: 5yv6ZxNaTP.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: 5yv6ZxNaTP.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: 5yv6ZxNaTP.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: 5yv6ZxNaTP.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: 5yv6ZxNaTP.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: 5yv6ZxNaTP.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: 5yv6ZxNaTP.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: 5yv6ZxNaTP.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: 5yv6ZxNaTP.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: 5yv6ZxNaTP.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: 5yv6ZxNaTP.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: 5yv6ZxNaTP.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: 5yv6ZxNaTP.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: 5yv6ZxNaTP.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
Source: 5yv6ZxNaTP.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
Source: 5yv6ZxNaTP.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: 5yv6ZxNaTP.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: 5yv6ZxNaTP.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: 5yv6ZxNaTP.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: 5yv6ZxNaTP.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: 5yv6ZxNaTP.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: 5yv6ZxNaTP.exe String found in binary or memory: unsafe.String: len out of range11368683772161602973937988281255684341886080801486968994140625zone must be a non-empty stringcannot assign requested address.lib section in a.out corruptedbufio: tried to fill full buffergo package net: hostLookupOrder(sync: Unlock of unlocked RWMutexsync: negative WaitGroup counterMapIter.Value called before Nextslice bounds out of range [::%x]slice bounds out of range [:%x:]slice bounds out of range [%x::] (types from different packages)end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned28421709430404007434844970703125unexpected character, want colonresource temporarily unavailablesoftware caused connection abortnumerical argument out of domainCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyuse of closed network connection" not supported for cpu option "Failed to read message length: %vFailed to get executable path: %vgo package net: confVal.netCgo = sync: RUnlock of unlocked RWMutexreflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangeslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125skip everything and stop the walktoo many levels of symbolic linksInitializeProcThreadAttributeListtoo many Answers to pack (>65535)GetVolumeNameForVolumeMountPointWwaiting for unsupported file typeGODEBUG: no value specified for "Failed to connect to target %s: %vClosed connection for Stream ID %dNoDefaultCurrentDirectoryInExePathreflect: Field of non-struct type reflect: Field index out of boundsreflect: s
Source: 5yv6ZxNaTP.exe String found in binary or memory: unsafe.String: len out of range11368683772161602973937988281255684341886080801486968994140625zone must be a non-empty stringcannot assign requested address.lib section in a.out corruptedbufio: tried to fill full buffergo package net: hostLookupOrder(sync: Unlock of unlocked RWMutexsync: negative WaitGroup counterMapIter.Value called before Nextslice bounds out of range [::%x]slice bounds out of range [:%x:]slice bounds out of range [%x::] (types from different packages)end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned28421709430404007434844970703125unexpected character, want colonresource temporarily unavailablesoftware caused connection abortnumerical argument out of domainCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyuse of closed network connection" not supported for cpu option "Failed to read message length: %vFailed to get executable path: %vgo package net: confVal.netCgo = sync: RUnlock of unlocked RWMutexreflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangeslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125skip everything and stop the walktoo many levels of symbolic linksInitializeProcThreadAttributeListtoo many Answers to pack (>65535)GetVolumeNameForVolumeMountPointWwaiting for unsupported file typeGODEBUG: no value specified for "Failed to connect to target %s: %vClosed connection for Stream ID %dNoDefaultCurrentDirectoryInExePathreflect: Field of non-struct type reflect: Field index out of boundsreflect: s
Source: 5yv6ZxNaTP.exe String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
Source: unknown Process created: C:\Users\user\Desktop\5yv6ZxNaTP.exe "C:\Users\user\Desktop\5yv6ZxNaTP.exe"
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\5yv6ZxNaTP.exe'; $s.Save()"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\5yv6ZxNaTP.exe "C:\Users\user\Desktop\5yv6ZxNaTP.exe"
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\5yv6ZxNaTP.exe'; $s.Save()" Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Section loaded: mswsock.dll Jump to behavior
Source: Nexus.lnk.1.dr LNK file: ..\..\..\..\..\..\..\Desktop\5yv6ZxNaTP.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: 5yv6ZxNaTP.exe Static file information: File size 3255296 > 1048576
Source: 5yv6ZxNaTP.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x112000
Source: 5yv6ZxNaTP.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: 5yv6ZxNaTP.exe Static PE information: section name: .xdata
Source: 5yv6ZxNaTP.exe Static PE information: section name: /4
Source: 5yv6ZxNaTP.exe Static PE information: section name: /19
Source: 5yv6ZxNaTP.exe Static PE information: section name: /32
Source: 5yv6ZxNaTP.exe Static PE information: section name: /46
Source: 5yv6ZxNaTP.exe Static PE information: section name: /65
Source: 5yv6ZxNaTP.exe Static PE information: section name: /78
Source: 5yv6ZxNaTP.exe Static PE information: section name: /90
Source: 5yv6ZxNaTP.exe Static PE information: section name: .symtab
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 4_2_000000F2811FFE1A push ebp; retf 4_2_000000F2811FFE2B
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 4_2_000000F2811FE248 push ecx; retf 4_2_000000F2811FE329
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 4_2_000000F2811FF271 push edi; retf 4_2_000000F2811FF34B
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 4_2_000000F2811FFE38 push ebp; retf 4_2_000000F2811FFE3B
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 4_2_000000F2811FD8E8 push ecx; retf 4_2_000000F2811FD949
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 4_2_000000F2811FFE02 push ebp; retf 4_2_000000F2811FFE13

Boot Survival
barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: .lnk'); $s.TargetPath = 'C:\Users\user\Desktop\5yv6ZxNaTP.exe'; $s.Save()@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations and search. Tags = @('powershell','unit testing','bdd','tdd','mocking') # The web address of an icon which can be used in galler
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_0060A800 rdtscp 0_2_0060A800
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2876 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3664 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7976 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_005D4940 GetProcessAffinityMask,GetSystemInfo, 0_2_005D4940
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000001.00000002.1465103864.000002673D9A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}v
Source: 5yv6ZxNaTP.exe, 00000000.00000002.2675712059.000002227DE54000.00000004.00000020.00020000.00000000.sdmp, 5yv6ZxNaTP.exe, 00000004.00000002.2675613804.0000027639FF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000001.00000002.1465103864.000002673D9A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_0060A800 Start: 0060A809 End: 0060A81F 0_2_0060A800
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Code function: 0_2_0060A800 rdtscp 0_2_0060A800
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\5yv6ZxNaTP.exe'; $s.Save()" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546425 Sample: 5yv6ZxNaTP.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 68 23 Sigma detected: Powershell create lnk in startup 2->23 25 Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE 2->25 27 AI detected suspicious sample 2->27 7 5yv6ZxNaTP.exe 2->7         started        11 5yv6ZxNaTP.exe 2->11         started        process3 dnsIp4 21 185.196.10.218, 49705, 49706, 49707 SIMPLECARRIERCH Switzerland 7->21 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 7->29 31 Potentially malicious time measurement code found 7->31 13 powershell.exe 17 7->13         started        signatures5 process6 file7 19 C:\Users\user\AppData\Roaming\...19exus.lnk, MS 13->19 dropped 33 Powershell creates an autostart link 13->33 17 conhost.exe 13->17         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.196.10.218
 unknown Switzerland
42624 SIMPLECARRIERCH false